Hi Metze, I just wanted to let you know that I'm still working to get a confirmation from the engineering team whether this is expected behavior. I'll update you as soon as I have information to share.
Regards, Kristian Smith Support Escalation Engineer | Microsoft® Corporation Email: [email protected] -----Original Message----- From: Kristian Smith Sent: Wednesday, January 8, 2025 6:28 PM To: Stefan Metzmacher <[email protected]> Cc: [email protected]; Microsoft Support <[email protected]> Subject: RE: [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2501080040012093 Hi Metze, I'm going to reach out to the engineering team to try to get a better understanding of the client behavior in trust environments. I'll let you know what I learn. Regards, Kristian Smith Support Escalation Engineer | Microsoft® Corporation Email: [email protected] -----Original Message----- From: Stefan Metzmacher <[email protected]> Sent: Wednesday, January 8, 2025 3:22 AM To: Kristian Smith <[email protected]> Cc: [email protected]; Microsoft Support <[email protected]> Subject: Re: [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2412180040010640 Hi Kristian, > The lastest code changes in this area were released in the first > servicing/security update for the mainstream version of Server 2025, so you'd > need the first update. Ok, thanks! > That said, I can't guarantee this update fixed the issue you were seeing > without traces at the time of the error. > This is my best guess with the network trace you provided and my own code > research. I re-run the tests and it all works now also for trusts. > As far as client-side fixes, if you're referring to this code change, it does > not look like the client was modified. > If you have any further questions, please let me know. I'm just wondering why a Windows 2025 DC does not try ServerAuthenticateKerberos at all against trusted domains. I was just wondering why the server problem was detected and fixed when there's no software out in the wild triggering that code path. So I guessed that the client code in Windows has also changed. Can you find out why Windows doesn't even try it for trusted domains? Maybe there's a flag on the trustedDomain object to activate it? It would be good to know. Thanks! metze _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
