Good afternoon Mr. Simpkins. I have reviewed your comments, with respect to my earlier answers to your original questions.
I have summarized my research below, in the form of (rough-cut) change proposals for the [MS-SPNG] and [MS-SMB] documents. I certainly invite you to suggest amendments, changes, and so forth, to ensure the change requests I will submit to documentation development satisfy your needs fully (there was quite a bit of earlier detail to parse; hopefully I haven't missed anything). ----------------------------------------------------------------------------- [MS-SPNG]: Simple and Protected Generic Security Service Application Program Interface Negotiation Mechanism (SPNEGO) Protocol Extensions Change: 3.1.5.2 mechTypes Identification of Kerberos <5> To: 3.1.5.2 mechTypes Identification of Kerberos Windows XP, Windows Server 2003, Windows Vista, and Windows Server offer and receive the mechType 1.2.840.113554.1.2.2 (Generic Security Service Application Program Interface) when using Kerberos Version 5 technology), { iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) krb5(2) }.<5> ----------------------------------------------------------------------------- [MS-SMB]: Server Message Block (SMB) Protocol Specification 3.2.4.2.3 User Authentication Add a <Windows Behavior #> reference (suggested text shown below) to the 'Extended Security' subtopic. <Windows Behavior #> Windows accepts raw NTLM messages that are not embedded in [RFC4178] SPNEGO messages ([MS-SPNG] 3.2.5.2 Universal Receiver) in the SecurityBlob of an SMB_COM_SESSION_SETUP_ANDX request packet. This was introduced in the NTLMv2 implementation of Windows NT 4 Service Pack 4. Note: See the attached: raw_ntlmssp.cap frame 7. GSSAPI/SPNEGO support for Kerberos and NTLMSSP was introduced in Windows 2000. [RFC4178] section 3.2 (c)' implies a new inner context should be established. This is done with Kerberos, but not with NTLMSSP. Additionally, Windows does not accept GSS InitialContextTokens containing NTLMSSP within a new inner context. Note: See the attached: spnego_krb.cap frame 7 spnego_ntlmssp.cap frame 6. gss_ntlmssp.cap frame 7 (server responds with STATUS_INVALID_PARAMETER) ----------------------------------------------------------------------------- Detail from Captures.zip.bin (attached): raw_ntlmssp.cap frame 7: [Windows XpSp3 to Windows 2003] - Smb: C; Session Setup Andx Protocol: SMB Command: Session Setup Andx 115(0x73) + NTStatus: 0x0, Facility = FACILITY_SYSTEM, Severity = STATUS_SEVERITY_SUCCESS, Code = (0) STATUS_SUCCESS - SMBHeader: Command, TID: 0x0000, PID: 0xFEFF, UID: 0x0000, MID: 0x0040 - Flags: 24 (0x18) CaseInsensitive: (....1...) SMB paths are case-insensitive (SMB_FLAGS_CASE_INSENSITIVE) Canonicalized: (...1....) Canonicalized File and pathnames (Obsolete) (SMB_FLAGS_CANONICALIZED_PATHS) FromServer: (0.......) Command - SMB is being sent from the client (SMB_FLAGS_SERVER_TO_REDIR) - Flags2: 51207 (0xC807) KnowsLongFiles: (...............1) Understands Long File Names (SMB_FLAGS2_KNOWS_LONG_NAMES) ExtendedAttribs: (..............1.) Understands extended attributes (SMB_FLAGS2_KNOWS_EAS) SignEnabled: (.............1..) Security signatures enabled (SMB_FLAGS2_SMB_SECURITY_SIGNATURE) ExtSecurity: (....1...........) Aware of extended security (SMB_FLAGS2_EXTENDED_SECURITY) StatusCodes: (.1..............) Using 32-bit NT status error codes (SMB_FLAGS2_NT_STATUS) Unicode: (1...............) Using UNICODE strings (SMB_FLAGS2_UNICODE) + TCPIPSecuritySignature: Reserved: 0 (0x0) TreeID: 0 (0x0) ProcessID: 65279 (0xFEFF) UserID: 0 (0x0) MultiplexID: 64 (0x40) - CSessionSetupAndXNTLMESS: WordCount: 12 (0xC) ANDXCommand: No Secondary Command 255(0xFF) AndXReserved: 0 (0x0) ANDXOffset: 202 (0xCA) MaxBufferSize: 4356 (0x1104) MaxMpxCount: 50 (0x32) VcNumber: 0 (0x0) SessionKey: 0 (0x0) SecurityBlobLength: 40 (0x28) Reserved: 0 (0x0) - Capabilities: 0xA00000D4 Unicode: (.............................1..) Supports Unicode Strings (CAP_UNICODE) NTSMBs: (...........................1....) Supports SMB NTLM 0.12 dialect commands (implies CAP_NT_FIND) (CAP_NT_SMBS) NTStatus: (.........................1......) Can respond with 32-bit NT status codes in Status (CAP_NT_STATUS) LevelIIOplocks: (........................1.......) Supports Level II oplocks ( CAP_LEVEL_II_OPLOCKS) DynamicReauth: (..1.............................) Supports dynamic reauthorization (CAP_DYNAMIC_REAUTH) ExtenedSecurity: (1...............................) Supports extended security exchange (CAP_EXTENDED_SECURITY) ByteCount: 143 (0x8F) SecurityBlob: - UnicodeParameters: + Align: 0 Bytes NativeOS: Windows 2002 Service Pack 3 2600 NativeLANMan: Windows 2002 5.1 ANDXPadding: Binary Large Object (2 Bytes) - NtlmSSP: NTLM NEGOTIATE MESSAGE Signature: NTLMSSP MessageType: Negotiate Message (0x00000001) - NtlmsspNegotiateMessage: + NegotiateFlags: 0xA2088207 (NTLM v2128-bit encryption, Always Sign) + WorkstationDomainHeader: Length: 0, Offset: 0 + WorkstationNameHeader: Length: 0, Offset: 0 + Version: Windows 5.1 Build 10250 NTLMSSPv15 spnego_ntlmssp.cap frame 6: [Windows XpSp3 to Windows 2003] - GssApi: + ApplicationHeader: + ThisMech: SpnegoToken (1.3.6.1.5.5.2) ([RFC2078]) - InnerContextToken: 0x1 - SpnegoToken: 0x1 + Tag0: - NegTokenInit: ([RFC2478] NegotiationToken, negTokenInit [0] NegTokenInit) + SequenceHeader: + Tag0: - MechTypes: ([RFC2478] mechTypes [0] MechTypeList OPTIONAL) + SequenceHeader: + MechType: NtlmSsp (1.3.6.1.4.1.311.2.2.10) + Tag2: ([RFC2478] mechToken [2] OCTET STRING OPTIONAL) + OctetStringHeader: MechToken: 0x1 (NtlmSsp: NTLM NEGOTIATE MESSAGE) - NtlmSsp: NTLM NEGOTIATE MESSAGE Signature: NTLMSSP MessageType: Negotiate Message (0x00000001) - NtlmsspNegotiateMessage: + NegotiateFlags: 0xE2088297 (NTLM v2128-bit encryption, Always Sign) + WorkstationDomainHeader: Length: 0, Offset: 0 + WorkstationNameHeader: Length: 0, Offset: 0 + Version: Windows 5.1 Build 10250 NTLMSSPv15 spnego_krb.cap frame 7: [Windows XpSp3 to Windows 2003] - GssApi: + ApplicationHeader: + ThisMech: SpnegoToken (1.3.6.1.5.5.2) - InnerContextToken: 0x1 - SpnegoToken: 0x1 + Tag0: - NegTokenInit: ([RFC2478] NegotiationToken, negTokenInit [0] NegTokenInit) + SequenceHeader: + Tag0: + MechTypes: ([RFC2478] mechTypes [0] MechTypeList OPTIONAL) + Tag2: ([RFC2478] mechToken [2] OCTET STRING OPTIONAL) + OctetStringHeader: - MechToken: 0x1 + MsKerberosToken: 0x1 - GssApi: ([RFC4178] section 3.2 (c)) + ApplicationHeader: + ThisMech: KerberosToken (1.2.840.113554.1.2.2) + InnerContextToken: 0x1 gss_ntlmssp.cap frame 7 (server responds with STATUS_INVALID_PARAMETER): [Windows XpSp3 to Windows 2003] - SecurityBlob: - GssApi: - ApplicationHeader: + AsnId: Application Constructed Tag (0) + AsnLen: Length = 44, LengthOfLength = 0 - ThisMech: NtlmSsp (1.3.6.1.4.1.311.2.2.10) + MechType: NtlmSsp (1.3.6.1.4.1.311.2.2.10) InnerContextToken: 0x1 + UnicodeParameters: ANDXPadding: Binary Large Object (2 Bytes) - NtlmSsp: NTLM NEGOTIATE MESSAGE Signature: NTLMSSP MessageType: Negotiate Message (0x00000001) - NtlmsspNegotiateMessage: + NegotiateFlags: 0xA0000217 (NTLM v1128-bit encryption, , Sign) + WorkstationDomainHeader: Length: 0, Offset: 0 + WorkstationNameHeader: Length: 0, Offset: 0 Regards, Bill Wesse MCSE / Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: 980-776-8200 CELL: 704-661-5438 FAX: 704-665-9606
Captures.zip.bin
Description: Captures.zip.bin
_______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol