Hi, The data is encrypted so a network trace is useless unless I also provide a kerberos keytab file containing the secret key. I cant do that unfortunately.
Instead I attach a decrypted packet from wireshark : The blob that starts with : Decrypted Krb5 (1094 bytes): is the decrypted data in the EncTicketPart blob of the Ticket. Towards the end of this decrypted structure we will have authorization-data [10] AuthorizationData OPTIONAL This starts at offset 0x00b1 with the tag 0xaa The actual PAC_INFO_BUFFER type 12 starts at offset 0x0358 into this blob. I will paste this blob below for easy reference : 0350 .. .. .. .. .. .. .. .. 30 00 10 00 14 00 40 00 0360 01 00 00 00 00 00 00 00 41 00 64 00 6d 00 69 00 0370 6e 00 69 00 73 00 74 00 72 00 61 00 74 00 6f 00 0380 72 00 40 00 76 00 73 00 6f 00 66 00 73 00 38 00 0390 2e 00 63 00 6f 00 6d 00 56 00 53 00 4f 00 46 00 03a0 53 00 38 00 2e 00 43 00 4f 00 4d 00 30 00 : length 10 00 : offset 14 00 : length 40 00 : offset 01 00 00 00 : this would be the flags field but it is not all zero 00 00 00 00 : padding ? 41 00 64 00 6d 00 69 00 the two strings 6e 00 69 00 73 00 74 00 72 00 61 00 74 00 6f 00 72 00 40 00 76 00 73 00 6f 00 66 00 73 00 38 00 2e 00 63 00 6f 00 6d 00 56 00 53 00 4f 00 46 00 53 00 38 00 2e 00 43 00 4f 00 4d 00 regards ronnie sahlberg No. Time Source Destination Protocol Info 20 0.068702 10.0.0.218 10.0.1.101 SMB Session Setup AndX Request Frame 20 (194 bytes on wire, 194 bytes captured) Ethernet II, Src: Xensourc_00:88:6c (00:16:3e:00:88:6c), Dst: 00:ff:0e:54:92:d7 (00:ff:0e:54:92:d7) Internet Protocol, Src: 10.0.0.218 (10.0.0.218), Dst: 10.0.1.101 (10.0.1.101) Transmission Control Protocol, Src Port: 49224 (49224), Dst Port: 445 (445), Seq: 1609, Ack: 182, Len: 140 [Reassembled TCP Segments (1600 bytes): #19(1460), #20(140)] NetBIOS Session Service SMB (Server Message Block Protocol) SMB Header Session Setup AndX Request (0x73) Word Count (WCT): 12 AndXCommand: No further commands (0xff) Reserved: 00 AndXOffset: 0 Max Buffer: 16644 Max Mpx Count: 50 VC Number: 0 Session Key: 0x00000000 Security Blob Length: 1532 Reserved: 00000000 Capabilities: 0xa00000d4 Byte Count (BCC): 1537 Security Blob: 608205F806062B0601050502A08205EC308205E8A0243022... GSS-API Generic Security Service Application Program Interface OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation) SPNEGO negTokenInit mechTypes: 3 items mechToken: 608205B606092A864886F71201020201006E8205A5308205... krb5_blob: 608205B606092A864886F71201020201006E8205A5308205... KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) krb5_tok_id: KRB5_AP_REQ (0x0001) Kerberos AP-REQ Pvno: 5 MSG Type: AP-REQ (14) Padding: 0 APOptions: 20000000 (Mutual required) Ticket Tkt-vno: 5 Realm: VSOFS8.COM Server Name (Service and Instance): cifs/jens1.vsofs8.com enc-part rc4-hmac Encryption type: rc4-hmac (23) Kvno: 5 enc-part: 468AD4B329BBA42CA8ECF32270D88F5FFB89B79CCC67D17F... [Decrypted using: keytab principal [EMAIL PROTECTED] EncTicketPart Padding: 0 Ticket Flags (Forwardable, Renewable, Pre-Auth) key rc4-hmac Client Realm: VSOFS8.COM Client Name (Principal): Administrator TransitedEncoding DOMAIN-X500-COMPRESS Authtime: 2008-08-14 03:08:50 (UTC) Start time: 2008-08-14 03:14:07 (UTC) End time: 2008-08-14 13:08:50 (UTC) Renew-till: 2008-08-21 03:08:50 (UTC) AuthorizationData AD-IF-RELEVANT Type: AD-IF-RELEVANT (1) Data: 308203123082030EA00402020080A1820304048203000500... IF_RELEVANT AD-Win2k-PAC Type: AD-Win2k-PAC (128) Data: 050000000000000001000000F80100005800000000000000... Num Entries: 5 Version: 0 Type: Logon Info (1) Size: 504 Offset: 88 PAC_LOGON_INFO: 01100800CCCCCCCCE8010000000000000000020090D4CD12... Type: Client Info Type (10) Size: 36 Offset: 592 PAC_CLIENT_INFO_TYPE: 000D0713BBFDC8011A00410064006D0069006E0069007300... Type: UPN DNS Info (12) Size: 88 Offset: 632 UPN_DNS_INFO: 30001000140040000100000000000000410064006D006900... UPN Len: 48 UPN Offset: 16 DNS Len: 20 DNS Offset: 64 Flags: 0x00000001 UPN Name: [EMAIL PROTECTED] DNS Name: VSOFS8.COM Type: Server Checksum (6) Size: 20 Offset: 720 PAC_SERVER_CHECKSUM: 76FFFFFFCC47C321EEC28C824A4085BD00A6DF17 Type: Privsvr Checksum (7) Size: 20 Offset: 744 PAC_PRIVSVR_CHECKSUM: 76FFFFFF36E3634ADE7101225906729E20F0D7BC AuthorizationData AD-IF-RELEVANT Type: AD-IF-RELEVANT (1) Data: 3041303FA0040202008DA137043530333031A003020100A1... IF_RELEVANT 0x8d Type: Unknown (141) Data: 30333031A003020100A12A04280000000000300000247BE4... Authenticator rc4-hmac Native OS: Native LAN Manager: Frame (194 bytes): 0000 00 ff 0e 54 92 d7 00 16 3e 00 88 6c 08 00 45 00 ...T....>..l..E. 0010 00 b4 02 da 40 00 80 06 e1 2b 0a 00 00 da 0a 00 [EMAIL PROTECTED] 0020 01 65 c0 48 01 bd 18 ac 76 5c f2 15 99 ba 50 18 .e.H....v\....P. 0030 3f fb e6 df 00 00 3f 6f 77 d4 5e cc eb 9b 1a df ?.....?ow.^..... 0040 94 5a 12 a9 c4 37 96 eb f7 1a 07 ba d3 43 01 a5 .Z...7.......C.. 0050 4a 0c 77 aa 23 d3 34 bf 67 a0 21 19 51 3e 27 41 J.w.#.4.g.!.Q>'A 0060 d8 f8 bf 74 47 96 5b f2 35 0b e6 b2 3f 37 f4 bf ...tG.[.5...?7.. 0070 a6 ae cd 1b 69 de c2 d5 ca bf 09 44 a1 e3 d6 4c ....i......D...L 0080 54 61 c4 c1 6f 65 93 4f 06 41 ec 29 61 6c 6a 55 Ta..oe.O.A.)aljU 0090 47 8c 88 cb 86 23 cf 59 1e e4 86 2d 3a 5b fa 59 G....#.Y...-:[.Y 00a0 7a 04 da 59 b5 fd 07 2c 65 8f 44 3b 19 76 23 47 z..Y...,e.D;.v#G 00b0 d4 85 7f 0d 58 33 78 5c 69 cb c0 57 ef 00 00 00 ....X3x\i..W.... 00c0 00 00 .. Reassembled TCP (1600 bytes): 0000 00 00 06 3c ff 53 4d 42 73 00 00 00 00 18 07 c8 ...<.SMBs....... 0010 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff fe ................ 0020 00 00 40 00 0c ff 00 00 00 04 41 32 00 00 00 00 [EMAIL PROTECTED] 0030 00 00 00 fc 05 00 00 00 00 d4 00 00 a0 01 06 60 ...............` 0040 82 05 f8 06 06 2b 06 01 05 05 02 a0 82 05 ec 30 .....+.........0 0050 82 05 e8 a0 24 30 22 06 09 2a 86 48 82 f7 12 01 ....$0"..*.H.... 0060 02 02 06 09 2a 86 48 86 f7 12 01 02 02 06 0a 2b ....*.H........+ 0070 06 01 04 01 82 37 02 02 0a a2 82 05 be 04 82 05 .....7.......... 0080 ba 60 82 05 b6 06 09 2a 86 48 86 f7 12 01 02 02 .`.....*.H...... 0090 01 00 6e 82 05 a5 30 82 05 a1 a0 03 02 01 05 a1 ..n...0......... 00a0 03 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 04 ......... ...... 00b0 a0 61 82 04 9c 30 82 04 98 a0 03 02 01 05 a1 0c .a...0.......... 00c0 1b 0a 56 53 4f 46 53 38 2e 43 4f 4d a2 23 30 21 ..VSOFS8.COM.#0! 00d0 a0 03 02 01 02 a1 1a 30 18 1b 04 63 69 66 73 1b .......0...cifs. 00e0 10 6a 65 6e 73 31 2e 76 73 6f 66 73 38 2e 63 6f .jens1.vsofs8.co 00f0 6d a3 82 04 5c 30 82 04 58 a0 03 02 01 17 a1 03 m...\0..X....... 0100 02 01 05 a2 82 04 4a 04 82 04 46 46 8a d4 b3 29 ......J...FF...) 0110 bb a4 2c a8 ec f3 22 70 d8 8f 5f fb 89 b7 9c cc ..,..."p.._..... 0120 67 d1 7f ba 90 2e 2d e5 3c 11 30 16 25 c3 bf 36 g.....-.<.0.%..6 0130 fb e6 3b 79 8c bc ea ab 47 29 e2 7e 1c 3b 9f f7 ..;y....G).~.;.. 0140 14 15 18 17 fe b9 ee c4 8d 05 99 6c a5 c2 01 28 ...........l...( 0150 da 2c ce d1 70 1c 8a bc ee 48 1c 47 be cc d1 d4 .,..p....H.G.... 0160 80 79 e1 c2 d0 9a 42 22 4b c0 90 6e cc 90 86 19 .y....B"K..n.... 0170 1a 74 9b d5 bc b9 d6 47 b4 65 52 8a f2 8c 35 59 .t.....G.eR...5Y 0180 1d a4 45 89 c8 5b d4 b5 b4 0b 7a ab 95 c5 43 94 ..E..[....z...C. 0190 8e ee bb d7 9b 47 de 19 2a d4 bf ff 2d 7c e5 bf .....G..*...-|.. 01a0 1a b7 11 d1 a4 f5 ca 5f 4e 30 a1 17 27 7f 20 ec ......._N0..'. . 01b0 e8 03 89 b2 8e 04 a9 23 29 5d 90 21 08 10 f8 11 .......#)].!.... 01c0 c9 b8 49 f0 5b d9 9e 63 8f 28 13 e1 04 d8 0b c0 ..I.[..c.(...... 01d0 3e eb 71 62 28 ec 3a 36 8a f4 3d 6a 70 4c 17 3b >.qb(.:6..=jpL.; 01e0 b9 5e 6c 80 db f6 80 20 0c 58 7d f6 d2 52 7f 0b .^l.... .X}..R.. 01f0 51 27 97 92 a1 3d 4c 2c 7a dd ad 31 52 be d2 01 Q'...=L,z..1R... 0200 16 16 1a bc 2d 9d 17 ec 03 7a 7b d5 a9 3a 95 48 ....-....z{..:.H 0210 10 8a 01 fc e6 cc ff 27 2b fc cb 5e c8 38 32 85 .......'+..^.82. 0220 70 40 17 d6 cc 9a ca 7b f5 ad 45 27 3d 0a 54 23 [EMAIL PROTECTED]'=.T# 0230 94 c5 f1 e1 f2 b6 fe d3 dd b7 81 c1 ca 6f 01 f3 .............o.. 0240 61 08 8e 25 ee 33 a3 06 16 0b b0 95 5a 9a e5 06 a..%.3......Z... 0250 e3 19 26 fd 1c 80 9e 70 af 5b 61 5a 44 07 9d 29 ..&....p.[aZD..) 0260 96 09 3d 29 ea 85 bc be 3f 73 c8 fc 02 e1 0f b6 ..=)....?s...... 0270 9d 7d be 49 3d a0 8b b0 1b 49 e1 79 8c c2 c6 c6 .}.I=....I.y.... 0280 c2 b0 fe 6f a9 bb 57 e5 86 b7 fa c1 f1 6c 24 31 ...o..W......l$1 0290 b3 4a bb bb 84 ab 49 99 93 e7 b4 fb eb 6e 31 b0 .J....I......n1. 02a0 09 57 17 11 03 f1 56 29 0b 0d c6 60 6e af 3c 46 .W....V)...`n.<F 02b0 35 76 0f 5a 7c 7b d4 d8 ed 30 af ae d1 8d 1d a9 5v.Z|{...0...... 02c0 f2 1d e8 8f 0c d1 3d 90 cc aa 62 06 fc be 59 65 ......=...b...Ye 02d0 82 ec 12 2a 34 39 29 f1 92 fc d5 85 98 bf 39 52 ...*49).......9R 02e0 c0 0c 15 c5 8d 91 84 fd b8 69 b2 3c 07 90 c1 a3 .........i.<.... 02f0 90 89 4a 50 dd a4 a9 2c 22 47 1c 5a ee 11 c8 97 ..JP...,"G.Z.... 0300 cf 8d ff b2 8d 3d 53 f1 55 ed 00 27 70 41 e9 7f .....=S.U..'pA.. 0310 f6 e7 16 6c 40 32 68 25 aa 2b 35 e8 09 71 ac 0f [EMAIL PROTECTED] 0320 c0 f9 2a 93 f6 d1 3e 5d 9f 05 50 35 28 5e 01 85 ..*...>]..P5(^.. 0330 d4 54 31 ed 87 17 cb c2 20 29 ed 32 01 f8 fe 63 .T1..... ).2...c 0340 68 4c 89 da 02 4d 7e 3f b3 0f e9 0b b6 1d a1 b1 hL...M~?........ 0350 23 d4 67 08 78 80 85 88 ac 31 9f ce a2 6e 25 f7 #.g.x....1...n%. 0360 85 63 cb a9 0c a7 de 8b 93 34 39 1c 4a c2 9a b0 .c.......49.J... 0370 30 d1 1a 6c 9a b1 8e 17 b9 a4 68 ad 93 65 67 4d 0..l......h..egM 0380 63 3a dd 7b a0 df 3b 98 a9 57 da 55 15 74 3a 6f c:.{..;..W.U.t:o 0390 f0 b0 c3 74 1a c6 a4 93 23 0e c0 1c 77 5a 79 8f ...t....#...wZy. 03a0 34 e6 77 88 fe 01 09 9e 7c fb 2e db 89 15 92 e1 4.w.....|....... 03b0 08 25 2a bd 32 fa 29 af 45 b3 ea db e3 80 8e d5 .%*.2.).E....... 03c0 35 90 64 4f 19 50 72 32 12 b8 82 a5 09 e6 40 31 [EMAIL PROTECTED] 03d0 51 ce 0d f7 9f 6c 14 cc e3 da 9d ce 9e cf c9 58 Q....l.........X 03e0 94 34 6c 47 65 9b 0a ea ee 66 4f 97 1b 32 9f ea .4lGe....fO..2.. 03f0 c9 f8 14 e3 92 52 95 49 4e 26 bd de c2 3b c8 a0 .....R.IN&...;.. 0400 39 41 96 78 43 05 43 97 91 1d ee 82 b2 99 7e 43 9A.xC.C.......~C 0410 b0 6d 7f 4b bf a0 77 00 b8 fa aa 1a d4 dd b0 6f .m.K..w........o 0420 02 5c fc dc f2 39 c2 d1 83 36 a5 9d 93 73 02 55 .\...9...6...s.U 0430 c9 d4 05 97 43 2d ea a8 c9 b5 5e 60 2f 9c 50 94 ....C-....^`/.P. 0440 02 de 9a a8 a9 63 56 18 37 27 37 09 b5 3d 0c 88 .....cV.7'7..=.. 0450 f9 69 f6 3d 2e 47 81 3b 6e 4c 85 78 d3 5e e1 1d .i.=.G.;nL.x.^.. 0460 34 a6 7e 16 bc 08 45 2a 6f c8 3e 87 a9 1b 2c 0f 4.~...E*o.>...,. 0470 ee c1 29 c6 95 f6 7f 34 fa 2d ea 19 22 7b 8c a9 ..)....4.-.."{.. 0480 64 c2 e0 2a dc 37 d9 54 30 aa e3 91 19 71 5d 35 d..*.7.T0....q]5 0490 4b 00 73 b1 d0 13 6a d6 84 de 2e a2 28 bb 75 1b K.s...j.....(.u. 04a0 96 5d b9 e2 fd c8 8b 99 62 4d b8 0c 06 bb f0 13 .]......bM...... 04b0 16 16 3d fc 6c 45 81 aa ca 6e 9a 2d 4f 4a 73 ee ..=.lE...n.-OJs. 04c0 6e 14 b1 d4 6d 59 1e b7 94 20 71 5e 0f 1a fd e8 n...mY... q^.... 04d0 84 48 4b 06 5c d5 b8 66 41 45 6b 2f 05 c4 92 4d .HK.\..fAEk/...M 04e0 58 fb 1b 6d 38 b8 03 58 be 02 b1 dd 44 ce 45 ba X..m8..X....D.E. 04f0 61 08 fa 8b 1e 2f b2 3d 05 2f 57 06 d4 cb 40 15 a..../.=./[EMAIL PROTECTED] 0500 10 6a e2 b5 a3 6c bd 7c dc 06 6e 86 ad bc 43 94 .j...l.|..n...C. 0510 1e 65 41 14 67 e1 bc 55 f6 d5 12 69 1b 47 f9 1b .eA.g..U...i.G.. 0520 22 93 11 a7 0d 62 1f 6d 00 dc f1 33 1e 26 08 0f "....b.m...3.&.. 0530 6d f1 00 81 70 b8 cb ef 4a 89 18 36 f2 27 24 9d m...p...J..6.'$. 0540 20 92 b3 5b ca f1 0e 89 34 7d c1 3c e2 d7 3e 26 ..[....4}.<..>& 0550 86 a4 81 e7 30 81 e4 a0 03 02 01 17 a2 81 dc 04 ....0........... 0560 81 d9 28 0e 09 68 39 03 00 aa 47 d1 3c 16 a6 c5 ..(..h9...G.<... 0570 80 67 e9 bc 68 6d 2e 71 55 98 75 54 d9 11 e0 34 .g..hm.qU.uT...4 0580 00 a5 b9 79 f1 cf 40 83 94 ac 54 7e 19 45 aa 9e [EMAIL PROTECTED] 0590 c7 4d 6e 1c 9d 9b 85 f6 6c 64 9c 97 c1 59 ca 9e .Mn.....ld...Y.. 05a0 81 3f 0d d3 cf 30 eb 5a 68 0a 45 49 e4 df 63 51 .?...0.Zh.EI..cQ 05b0 6b 7d 13 d3 3f 6f 77 d4 5e cc eb 9b 1a df 94 5a k}..?ow.^......Z 05c0 12 a9 c4 37 96 eb f7 1a 07 ba d3 43 01 a5 4a 0c ...7.......C..J. 05d0 77 aa 23 d3 34 bf 67 a0 21 19 51 3e 27 41 d8 f8 w.#.4.g.!.Q>'A.. 05e0 bf 74 47 96 5b f2 35 0b e6 b2 3f 37 f4 bf a6 ae .tG.[.5...?7.... 05f0 cd 1b 69 de c2 d5 ca bf 09 44 a1 e3 d6 4c 54 61 ..i......D...LTa 0600 c4 c1 6f 65 93 4f 06 41 ec 29 61 6c 6a 55 47 8c ..oe.O.A.)aljUG. 0610 88 cb 86 23 cf 59 1e e4 86 2d 3a 5b fa 59 7a 04 ...#.Y...-:[.Yz. 0620 da 59 b5 fd 07 2c 65 8f 44 3b 19 76 23 47 d4 85 .Y...,e.D;.v#G.. 0630 7f 0d 58 33 78 5c 69 cb c0 57 ef 00 00 00 00 00 ..X3x\i..W...... Decrypted Krb5 (1094 bytes): 0000 63 82 04 2a 30 82 04 26 a0 07 03 05 00 40 a0 00 c..*0..&[EMAIL PROTECTED] 0010 00 a1 1b 30 19 a0 03 02 01 17 a1 12 04 10 a1 fe ...0............ 0020 a5 c0 56 e1 ea 97 21 f2 7a a5 35 98 9a 52 a2 0c ..V...!.z.5..R.. 0030 1b 0a 56 53 4f 46 53 38 2e 43 4f 4d a3 1a 30 18 ..VSOFS8.COM..0. 0040 a0 03 02 01 01 a1 11 30 0f 1b 0d 41 64 6d 69 6e .......0...Admin 0050 69 73 74 72 61 74 6f 72 a4 0b 30 09 a0 03 02 01 istrator..0..... 0060 01 a1 02 04 00 a5 11 18 0f 32 30 30 38 30 38 31 .........2008081 0070 34 30 33 30 38 35 30 5a a6 11 18 0f 32 30 30 38 4030850Z....2008 0080 30 38 31 34 30 33 31 34 30 37 5a a7 11 18 0f 32 0814031407Z....2 0090 30 30 38 30 38 31 34 31 33 30 38 35 30 5a a8 11 0080814130850Z.. 00a0 18 0f 32 30 30 38 30 38 32 31 30 33 30 38 35 30 ..20080821030850 00b0 5a aa 82 03 79 30 82 03 75 30 82 03 23 a0 03 02 Z...y0..u0..#... 00c0 01 01 a1 82 03 1a 04 82 03 16 30 82 03 12 30 82 ..........0...0. 00d0 03 0e a0 04 02 02 00 80 a1 82 03 04 04 82 03 00 ................ 00e0 05 00 00 00 00 00 00 00 01 00 00 00 f8 01 00 00 ................ 00f0 58 00 00 00 00 00 00 00 0a 00 00 00 24 00 00 00 X...........$... 0100 50 02 00 00 00 00 00 00 0c 00 00 00 58 00 00 00 P...........X... 0110 78 02 00 00 00 00 00 00 06 00 00 00 14 00 00 00 x............... 0120 d0 02 00 00 00 00 00 00 07 00 00 00 14 00 00 00 ................ 0130 e8 02 00 00 00 00 00 00 01 10 08 00 cc cc cc cc ................ 0140 e8 01 00 00 00 00 00 00 00 00 02 00 90 d4 cd 12 ................ 0150 bb fd c8 01 ff ff ff ff ff ff ff 7f ff ff ff ff ................ 0160 ff ff ff 7f 4e fb 81 3e 8b e1 c8 01 4e bb eb 68 ....N..>....N..h 0170 54 e2 c8 01 ff ff ff ff ff ff ff 7f 1a 00 1a 00 T............... 0180 04 00 02 00 00 00 00 00 08 00 02 00 00 00 00 00 ................ 0190 0c 00 02 00 00 00 00 00 10 00 02 00 00 00 00 00 ................ 01a0 14 00 02 00 00 00 00 00 18 00 02 00 18 00 00 00 ................ 01b0 f4 01 00 00 01 02 00 00 05 00 00 00 1c 00 02 00 ................ 01c0 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 01d0 00 00 00 00 0a 00 0c 00 20 00 02 00 0c 00 0e 00 ........ ....... 01e0 24 00 02 00 28 00 02 00 00 00 00 00 00 00 00 00 $...(........... 01f0 10 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0210 01 00 00 00 2c 00 02 00 00 00 00 00 00 00 00 00 ....,........... 0220 00 00 00 00 0d 00 00 00 00 00 00 00 0d 00 00 00 ................ 0230 41 00 64 00 6d 00 69 00 6e 00 69 00 73 00 74 00 A.d.m.i.n.i.s.t. 0240 72 00 61 00 74 00 6f 00 72 00 00 00 00 00 00 00 r.a.t.o.r....... 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0280 00 00 00 00 00 00 00 00 05 00 00 00 00 02 00 00 ................ 0290 07 00 00 00 01 02 00 00 07 00 00 00 08 02 00 00 ................ 02a0 07 00 00 00 06 02 00 00 07 00 00 00 07 02 00 00 ................ 02b0 07 00 00 00 06 00 00 00 00 00 00 00 05 00 00 00 ................ 02c0 57 00 32 00 30 00 30 00 38 00 00 00 07 00 00 00 W.2.0.0.8....... 02d0 00 00 00 00 06 00 00 00 56 00 53 00 4f 00 46 00 ........V.S.O.F. 02e0 53 00 38 00 04 00 00 00 01 04 00 00 00 00 00 05 S.8............. 02f0 15 00 00 00 1c 09 4a 8a 69 fa 57 df 21 56 c4 ac ......J.i.W.!V.. 0300 01 00 00 00 30 00 02 00 07 00 00 20 05 00 00 00 ....0...... .... 0310 01 05 00 00 00 00 00 05 15 00 00 00 1c 09 4a 8a ..............J. 0320 69 fa 57 df 21 56 c4 ac 3c 02 00 00 00 00 00 00 i.W.!V..<....... 0330 00 0d 07 13 bb fd c8 01 1a 00 41 00 64 00 6d 00 ..........A.d.m. 0340 69 00 6e 00 69 00 73 00 74 00 72 00 61 00 74 00 i.n.i.s.t.r.a.t. 0350 6f 00 72 00 00 00 00 00 30 00 10 00 14 00 40 00 [EMAIL PROTECTED] 0360 01 00 00 00 00 00 00 00 41 00 64 00 6d 00 69 00 ........A.d.m.i. 0370 6e 00 69 00 73 00 74 00 72 00 61 00 74 00 6f 00 n.i.s.t.r.a.t.o. 0380 72 00 40 00 76 00 73 00 6f 00 66 00 73 00 38 00 [EMAIL PROTECTED] 0390 2e 00 63 00 6f 00 6d 00 56 00 53 00 4f 00 46 00 ..c.o.m.V.S.O.F. 03a0 53 00 38 00 2e 00 43 00 4f 00 4d 00 00 00 00 00 S.8...C.O.M..... 03b0 76 ff ff ff cc 47 c3 21 ee c2 8c 82 4a 40 85 bd [EMAIL PROTECTED] 03c0 00 a6 df 17 00 00 00 00 76 ff ff ff 36 e3 63 4a ........v...6.cJ 03d0 de 71 01 22 59 06 72 9e 20 f0 d7 bc 00 00 00 00 .q."Y.r. ....... 03e0 30 4c a0 03 02 01 01 a1 45 04 43 30 41 30 3f a0 0L......E.C0A0?. 03f0 04 02 02 00 8d a1 37 04 35 30 33 30 31 a0 03 02 ......7.50301... 0400 01 00 a1 2a 04 28 00 00 00 00 00 30 00 00 24 7b ...*.(.....0..${ 0410 e4 49 e7 d1 91 2e 77 9f 2a 93 cc 03 cf ca 55 e5 .I....w.*.....U. 0420 8a 4e 4c f5 da cd 8b 6f 7a 58 78 db e4 03 89 18 .NL....ozXx..... 0430 36 f2 27 24 29 00 00 00 f8 ed aa 08 70 71 ce b5 6.'$).......pq.. 0440 3c e2 d7 3e 26 86 <..>&. Decrypted Krb5 (217 bytes): 0000 62 81 be 30 81 bb a0 03 02 01 05 a1 0c 1b 0a 56 b..0...........V 0010 53 4f 46 53 38 2e 43 4f 4d a2 1a 30 18 a0 03 02 SOFS8.COM..0.... 0020 01 01 a1 11 30 0f 1b 0d 41 64 6d 69 6e 69 73 74 ....0...Administ 0030 72 61 74 6f 72 a3 25 30 23 a0 05 02 03 00 80 03 rator.%0#....... 0040 a1 1a 04 18 10 00 00 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 00 00 00 00 00 00 22 00 00 00 a4 03 02 01 ........"....... 0060 2d a5 11 18 0f 32 30 30 38 30 38 31 34 30 33 31 -....20080814031 0070 34 30 34 5a a6 1b 30 19 a0 03 02 01 17 a1 12 04 404Z..0......... 0080 10 25 9b 2e 38 5e cf 37 e0 94 26 a7 53 b9 a8 05 .%..8^.7..&.S... 0090 7f a7 06 02 04 4f 59 0a 4f a8 26 30 24 30 22 a0 .....OY.O.&0$0". 00a0 03 02 01 01 a1 1b 04 19 30 17 30 15 a0 04 02 02 ........0.0..... 00b0 00 81 a1 0d 04 0b 30 09 02 01 12 02 01 11 02 01 ......0......... 00c0 17 00 00 00 21 00 00 00 50 00 00 00 a0 33 21 08 ....!...P....3!. 00d0 50 34 21 08 e8 34 21 08 50 P4!..4!.P On Thu, Aug 28, 2008 at 4:12 AM, Richard Guthrie <[EMAIL PROTECTED]> wrote: > Resending as I have not heard back from Ronnie on this. > > Richard Guthrie > Open Protocols Support Team > Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM > Tel: +1 (469) 775-7794 > E-mail: [EMAIL PROTECTED] > We're hiring > http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted > > > -----Original Message----- > From: Richard Guthrie > Sent: Monday, August 25, 2008 9:30 AM > To: 'ronnie sahlberg' > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: Request for fix to MS-PAC > > Ronnie, can you send over a network trace (Wireshark or Netmon 3 format > preferred) that shows the behavior you describe for items 1 and 4? I will > continue to investigate your list of questions and get back to you shortly. > > Richard Guthrie > Open Protocols Support Team > Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM > Tel: +1 (469) 775-7794 > E-mail: [EMAIL PROTECTED] > We're hiring > http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted > > > -----Original Message----- > From: ronnie sahlberg [mailto:[EMAIL PROTECTED] > Sent: Sunday, August 24, 2008 8:54 PM > To: Richard Guthrie > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Request for fix to MS-PAC > > Hi, > > Thanks for the reply. > > However, > In my traces there is a difference compared yo your description : > > Between DnsOffset and the start of the UPN field there are 8 bytes. > Not 4 bytes as your description suggests. > > Additionally it is stated that the 4 flag bytes must be 0, which they > are not in my trace. > > > > Please, > 1, investigate whether there will be 4 or 8 bytes between the > DnsOffset and the UPN field. > 2, since this is not NDR encoded, please explain what the alignment > rules are for the UPN and DNS fields. > 3, Are UPN and DNS fields null terminated or not? > 4, Please explain the flag bits. My traces show flags with the > values 0x01 0x00 0x00 0x00 > > 5, Also please describe the sequence how a client will request that a > KDC to create a ticket containing this new > pac blob. I.e. what exactly need an initiator do to request that the > KDC will add this to the pac? > > > > regards > ronnie sahlberg > > > > On Fri, Aug 22, 2008 at 8:02 AM, Richard Guthrie <[EMAIL PROTECTED]> wrote: >> Ronnie, >> >> Thank you for your question. We have completed our review and agree this >> was missing from the documentation. It will be corrected in a future >> version of the documentation but I wanted to provide you with the missing >> information. The updates that will be added to the documentation are listed >> below. >> >> The ulType field will have a flag added for 0x0000000C and its meaning will >> be as follows: >> >> >> UPN and DNS information (section 2.10). PAC structures SHOULD contain >> zero or one buffer of this type. Additional UPN and DNS information buffers >> MUST be ignored. >> >> A section will be added to section 2 Structures entitled >> UPN_DNS_INFO. Here is the added text: >> >> 2.10 UPN_DNS_INFO >> The UPN_DNS_INFO structure contains the client's UPN and DNS name. It >> is used to provide the UPN and DNS name that corresponds to the client of >> the ticket. The UPN_DNS_INFO structure is placed directly after >> the Buffers array of the topmost PACTYPE structure, at the offset specified >> in the Offset field of the corresponding PAC_INFO_BUFFER structure in the >> Buffers array. The ulType field of the corresponding PAC_INFO_BUFFER is set >> to 0x0000000C. >> >> >> UpnLength (2 bytes): An unsigned 16-bit integer in little-endian >> format that specifies the length, in bytes, of the UPN field. >> >> UpnOffset (2 bytes): An unsigned 16-bit integer in little-endian >> format that contains the offset to the beginning of the buffer, in bytes, >> from the beginning of the UPN_DNS_INFO structure. >> >> DnsDomainNameLength (2 bytes): An unsigned 16-bit integer in >> little-endian format that specifies the length, in bytes, of the >> DnsDomainName field. >> >> DnsOffset (2 bytes): An unsigned 16-bit integer in little-endian >> format that contains the offset to the beginning of the buffer, in bytes, >> from the beginning of the UPN_DNS_INFO structure. >> >> Flags (4 bytes): An unsigned 32-bit integer in little-endian format >> that MUST be 0. >> >> Please let us know if you have any further questions. >> >> Richard Guthrie >> Open Protocols Support Team >> Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM >> Tel: +1 (469) 775-7794 >> E-mail: [EMAIL PROTECTED] >> We're hiring >> http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted >> -----Original Message----- >> From: ronnie sahlberg [mailto:[EMAIL PROTECTED] >> Sent: Thursday, August 14, 2008 3:11 AM >> To: Interoperability Documentation Help >> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] >> Subject: Request for fix to MS-PAC >> >> Hi, >> >> I am a pfif subcontractor. >> >> Using Vista workstation joined to a W2008 domain we have observed a >> new undocumented PAC_INFO_BUFFER type : type 12. >> >> The MS-PAC document only documents types 1,2,6,7,10 and 11. >> >> >> Please provide documentation of PAC_INFO_BUFFER type 12. >> >> >> regards >> ronnie sahlberg >> >> > > _______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol