Re: [cifs-protocol] Inability to use Win2k8 as a member server in Samba4 domain (was Clarify reserved bytes that are in fact used in LogonSamLogonEx response)

Tue, 04 Aug 2009 10:35:53 -0700 

Hi Andrew,

We've concluded our investigation and the following change will be available in 
future versions of MS-NRPC (section 2.2.1.4.13):


ExpansionRoom:  If NTLMV1 is used, the first 8 bytes represent the LMOWF as 
specified in [MS-NLMP] section 3.3.1. If NTLMV2, the first 8 bytes are set to 
the KXKEY ([MS-NLMP] section 3.4.5.1). This MAY be set to zero.<27>


<27> Section 2.2.1.4.13: There is a security issue with ExpansionRoom. If the 
data in this field is known, the password can be generated. Because of this, it 
is recommended for implementers that this field be zero-filled.



Please let me know if this answers your request.

Thanks and regards,


Sebastian Canevari
Senior Support Escalation Engineer, US-CSSĀ DSC PROTOCOL TEAM
7100 N Hwy 161, Irving, TX - 75039
"Las Colinas - LC2"
Tel: +1 469 775 7849
e-mail: seba...@microsoft.com



-----Original Message-----
From: Andrew Bartlett [mailto:abart...@samba.org] 
Sent: Tuesday, July 28, 2009 8:04 PM
To: Sebastian Canevari
Cc: Interoperability Documentation Help; p...@tridgell.net; 
cifs-proto...@samba.org
Subject: RE: Inability to use Win2k8 as a member server in Samba4 domain (was 
Clarify reserved bytes that are in fact used in LogonSamLogonEx response)

On Tue, 2009-07-28 at 17:07 -0700, Sebastian Canevari wrote:
> Hi Andrew,
> 
> I'm working with the product group in confirming my findings.
> 
> I am pretty sure that the first two longs in  array ExpansionRoom in
> NETLOGON_VALIDATION_SAM_INFO4 (2.2.1.4.13 MS-NRPC) are used for the 
> LanmanSessionKey but like I said I need to confirm it with the product 
> group before giving you a definitive answer.

Indeed.  If I had looked more carefully at the Samba Team's netlogon IDL this 
would have been clear.  

This means that the actual problem here is unrelated.  Perhaps it needs a new 
case, but can you please reproduce the failure of Win2k8 to operate in a Samba4 
domain, and see if you can tell us why this is the case.  We have been unable 
to identify any other differences in the protocol stream at this time. 

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

Reply via email to