Hi Julien, The common error codes I found when validating paChecksum and paChecksum2, in addition to KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED are:
KDC_ERR_SUMTYPE_NOSUPP (not supported), KRB_AP_ERR_MODIFIED (no match) Please let us know if you have further questions. Best regards, Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Corporation Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300 ________________________________ From: Jeff McCashland (He/him) Sent: Tuesday, March 11, 2025 9:59 AM To: Julien Rische Cc: Alexander Bokovoy; cifs-protocol@lists.samba.org; Microsoft Support Subject: [MS-PKCS] Document error codes for paChecksum and paChecksum2 - TrackingID#2503110040011119 Hi Julien, We have created SR 2503110040011119 to track this question. I will research this and let you know what I find. Best regards, Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Corporation Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada) Local country phone number found here: http://support.microsoft.com/globalenglish | Extension 1138300 ________________________________ From: Julien Rische <jris...@redhat.com> Sent: Tuesday, March 11, 2025 3:08 AM To: Jeff McCashland (He/him) <je...@microsoft.com> Cc: Alexander Bokovoy <a...@samba.org>; cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org>; Microsoft Support <supportm...@microsoft.com> Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT regression - TrackingID#2412190040009154 Hello Jeff, I am coming back to this thread because, while working on the implementation of paChecksum2 for MIT krb5[1], we noticed that RFC4556 does not specify the error code to be returned if paChecksum is invalid. We had the same concern for paChecksum2, because MS-PKCA seems to not define the errors to return in case paChecksum2 is missing or invalid. We observed that on Windows Server 2025, if paChecksum2 is missing (but required), KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED (79)[2] is returned, and if paChecksum2 is invalid, KRB_AP_ERR_MODIFIED (41)[3] is returned. Could this behavior be documented in MS-PKCA to ensure a coherent behavior across the different implementations? -- Julien Rische [1] https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkrb5%2Fkrb5%2Fpull%2F1411&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207734931%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=OSuud%2Fgyk3lyCRQCkaQ1SPHp1w8pQVEQtYXZqZXf6po%3D&reserved=0<https://github.com/krb5/krb5/pull/1411> [2] https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4556%23page-7&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207750879%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=KBoLmI7A2aRGvnXns%2BPt4z2xVSpmn2ANTLqpAOFvgxI%3D&reserved=0<https://datatracker.ietf.org/doc/html/rfc4556#page-7> [3] https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc4120%23page-112&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207759381%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=53FUS65yFzmLieO1pfd3uKRAThiIfd8QcyTUPky7Bds%3D&reserved=0<https://datatracker.ietf.org/doc/html/rfc4120#page-112> On Tue, Jan 14, 2025 at 11:26 AM Julien Rische <jris...@redhat.com> wrote: > > Hello Jeff, > > Thank you for your answers. > > As demonstrated in one of the traces, it seems that AD accepts PKINIT > AS-REQ without paChecksum2 when SHA-256 is used with ECDH (contrary to > FFDH). Is this behavior here to stay, or will paChecksum2 be required > for ECDH+RSA/SHA-2 too in Windows Server 2025 eventually? > > -- > Julien Rische > > On Mon, Jan 13, 2025 at 8:39 PM Jeff McCashland (He/him) > <je...@microsoft.com> wrote: > > > > Hi Alexander, > > > > Excellent observation. The paChecksum2 value follows the freshness token. > > > > typedef struct PKAuthenticator { > > union { > > ASN1uint16_t bit_mask; > > ASN1octet_t o[1]; > > }; > > ASN1uint32_t cusec; > > KERB_TIME client_time; > > ASN1uint32_t nonce; > > # define paChecksum_present 0x80 > > ASN1octetstring_t paChecksum; > > # define freshnessToken_present 0x40 > > ASN1octetstring_t freshnessToken; > > # define paChecksum2_present 0x20 > > PAChecksum2 paChecksum2; > > } PKAuthenticator; > > > > I will follow up and request any needed documentation updates. > > > > Best regards, > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft > > Corporation > > > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) > > Pacific Time (US and Canada) > > > > Local country phone number found here: > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207767858%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=ZraQ2XAS4J%2FBHrwb50b%2B50nR8fDGOyoUs6qkIhLnH8Y%3D&reserved=0<http://support.microsoft.com/globalenglish> > > | Extension 1138300 > > > > > > > > ________________________________ > > From: Alexander Bokovoy <a...@samba.org> > > Sent: Monday, January 13, 2025 11:33 AM > > To: Jeff McCashland (He/him) <je...@microsoft.com> > > Cc: Julien Rische <jris...@redhat.com>; cifs-protocol@lists.samba.org > > <cifs-protocol@lists.samba.org>; Microsoft Support > > <supportm...@microsoft.com> > > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT > > regression - TrackingID#2412190040009154 > > > > Hi Jeff, > > > > On Пан, 13 сту 2025, Jeff McCashland (He/him) wrote: > > > Hi Julien and Alexander, > > > > > > What I found in the trace is that the server is finding a paChecksum, but > > > no paChecksum2, which is required when using anything other than SHA-1: > > > > > > [MS-PKCA] 2.2.3 PA-PK-AS-REQ > > > The PA-PK-AS-REQ message format is specified in [RFC4556] section > > > 3.2.1.<10> PKAuthenticator in [RFC4556] is extended to add the > > > following PAChecksum2<11>. If a checksum algorithm other than SHA-1 is > > > used, this message MUST be present. If this field is present, it will > > > always be validated even if it is SHA-1. > > > PAChecksum2 ::= SEQUENCE { > > > checksum [0] OCTET STRING, > > > algorithmIdentifier [1] KERB-ALGORITHM-IDENTIFIER > > > } > > > <11> Section 2.2.3: The extension of PKAuthenticator in PA-PK-AS-REQ > > > is only applicable to Windows Server 2022, 23H2 operating system. > > > Windows Server 2022, 23H2 DCs will send back > > > TD-CMS-DIGEST-ALGORITHMS-DATA as described in [RFC8636] section 4. CMS > > > Digest Algorithm Agility. > > > > > > I believe the solution is to add a paChecksum2 to the PA-PK-AS-REQ. Let > > > me know if you have any questions. > > > > Thank you for pointing this out. > > > > There is one problem, though. RFC 8070 extends PKAuthenticator as well, > > by adding freshnessToken right after paChecksum: > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc8070%23section-4&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207776532%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=HnbUlN15vKNojnY%2FA3GACwZyqlSllpB9AfCVG2uVZlc%3D&reserved=0<https://datatracker.ietf.org/doc/html/rfc8070#section-4> > > > > PKAuthenticator ::= SEQUENCE { > > cusec [0] INTEGER (0..999999), > > ctime [1] KerberosTime, > > -- cusec and ctime are used as in [RFC4120], for > > -- replay prevention. > > nonce [2] INTEGER (0..4294967295), > > -- Chosen randomly; this nonce does not need to > > -- match with the nonce in the KDC-REQ-BODY. > > paChecksum [3] OCTET STRING OPTIONAL, > > -- MUST be present. > > -- Contains the SHA1 checksum, performed over > > -- KDC-REQ-BODY. > > ..., > > freshnessToken [4] OCTET STRING OPTIONAL, > > -- PA_AS_FRESHNESS padata value as received from the > > -- KDC. MUST be present if sent by KDC > > ... > > } > > > > Can you please expand on whether paChecksum2 is added after or before > > the freshnessToken? e.g. does paChecksum2 has index [5] or [4]? > > > > If it is indeed paChecksum2 [5], then a reference to RFC 8070 is missing > > in the MS-PKCA 2.2.3. > > > > I think MS-PKCA would need an update about this detail as MS-PKCA 3.1.5 > > explicitly states: > > > > PKCA SHOULD<14> support the PKINIT Freshness Extension [RFC8070]. > > > > so MS-PKCA 2.2.3 would need to refer to RFC8070, not just to RFC4556. > > > > > > > > > > > > > Best regards, > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft > > > Corporation > > > > > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) > > > Pacific Time (US and Canada) > > > > > > Local country phone number found here: > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207786086%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=eP1HfScl2SOskij0dLlzqU90kzkl1y4Alrhs9BSUcY4%3D&reserved=0<http://support.microsoft.com/globalenglish> > > > | Extension 1138300 > > > > > > > > > > > > ________________________________ > > > From: Jeff McCashland (He/him) <je...@microsoft.com> > > > Sent: Tuesday, January 7, 2025 1:16 PM > > > To: Julien Rische <jris...@redhat.com> > > > Cc: Alexander Bokovoy <a...@samba.org>; cifs-protocol@lists.samba.org > > > <cifs-protocol@lists.samba.org>; Microsoft Support > > > <supportm...@microsoft.com> > > > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT > > > regression - TrackingID#2412190040009154 > > > > > > Thank you for the rapid response and for uploading the additional traces. > > > I will dig into these and let you know what I find. > > > > > > > > > Best regards, > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft > > > Corporation > > > > > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) > > > Pacific Time (US and Canada) > > > > > > Local country phone number found here: > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207796727%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=j9%2FK9tyM1tiS1y6OOcXI5hGiAaCPlnWCY2P6hOJZBWo%3D&reserved=0<http://support.microsoft.com/globalenglish> > > > | Extension 1138300 > > > > > > > > > > > > ________________________________ > > > From: Julien Rische <jris...@redhat.com> > > > Sent: Tuesday, January 7, 2025 11:33 AM > > > To: Jeff McCashland (He/him) <je...@microsoft.com> > > > Cc: Alexander Bokovoy <a...@samba.org>; cifs-protocol@lists.samba.org > > > <cifs-protocol@lists.samba.org>; Microsoft Support > > > <supportm...@microsoft.com> > > > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT > > > regression - TrackingID#2412190040009154 > > > > > > Hello Jeff, > > > > > > I uploaded 5 additional files, including the LSASS traces obtained > > > following the procedure described in your previous message: > > > > > > [02_lsass_pkinit_ffdh_modp14.zip] Compressed LSASS trace of a failing > > > pre-authentication process for FFDH with MODP group 14 (2046-bit) and > > > RSA/SHA-256 signature. > > > [02_pkinit_ffdh_modp14.pcap] Network trace of a failing > > > pre-authentication process for FFDH with MODP group 14 (2046-bit) and > > > RSA/SHA-256 signature. > > > [02_lsass_pkinit_ecdh_p256.zip] Compressed LSASS trace of a successful > > > pre-authentication process for ECDH with curve P-256 and RSA/SHA-256 > > > signature. > > > [02_pkinit_ecdh_p256.pcap] Network trace of a successful > > > pre-authentication process for ECDH with curve P-256 and RSA/SHA-256 > > > signature. > > > [02_ad2025.keytab] All Kerberos keys in the AD domain. > > > > > > -- > > > Julien Rische > > > > > > On Mon, Jan 6, 2025 at 9:03 PM Jeff McCashland (He/him) > > > <je...@microsoft.com> wrote: > > > > > > > > Hi Julien, > > > > > > > > Thank you for uploading the net traces and information. Please follow > > > > the instructions below to collect an LSASS trace of the scenario where > > > > you get the KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED error ('unknown' error > > > > code 79 from Alexander's original description). > > > > > > > > The LSASS traces can be quite large, but are highly compressible, so > > > > please add them to a .zip archive before uploading (file transfer > > > > workspace link is below). Please log into the workspace and find > > > > PartnerTTDRecorder_x86_x64.zip available for download. The x64 tool can > > > > be staged onto the Windows server in any location (instructions below > > > > assume C:\TTD). > > > > > > > > To collect the needed traces: > > > > 1. From a PowerShell prompt, execute: > > > > C:\TTD\tttracer.exe -Attach ([int](Get-Process -NAME lsass | > > > > Format-Wide -Property > > > > ID).formatEntryInfo.formatPropertyField.propertyValue) > > > > 2. Wait for a little window to pop up in top left corner of your > > > > screen, titled “lsass01.run” > > > > 3. start a network trace using netsh or WireShark, etc. > > > > 4. Repro the attempted operation > > > > 5. Stop the network trace and save it > > > > 6. CAREFULLY: uncheck the checkbox next to “Tracing” in the small > > > > “lsass01.run” window. Do not close or exit the small window or you will > > > > need to reboot. > > > > 7. The TTTracer.exe process will generate a trace file, then print out > > > > the name and location of the file. > > > > Compress the *.run file into a .zip archive before uploading with the > > > > matching network trace. It is a good idea to reboot the machine at the > > > > next opportunity to restart the lsass process. > > > > > > > > Best regards, > > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft > > > > Corporation > > > > > > > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: > > > > (UTC-08:00) Pacific Time (US and Canada) > > > > > > > > Local country phone number found here: > > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207805921%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Ur8fyQrXBePrHauc%2BoGvauLAyH6gKyMrIMllmtaZGEA%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207814685%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=JcU4b1320QYnMMCaqSEruDVMwrmugrFKnySHbX5q16o%3D&reserved=0><http://support.microsoft.com/globalenglish> > > > > | Extension 1138300 > > > > > > > > > > > > > > > > ________________________________ > > > > From: Julien Rische <jris...@redhat.com> > > > > Sent: Monday, January 6, 2025 2:27 AM > > > > To: Jeff McCashland (He/him) <je...@microsoft.com> > > > > Cc: Alexander Bokovoy <a...@samba.org>; cifs-protocol@lists.samba.org > > > > <cifs-protocol@lists.samba.org>; Microsoft Support > > > > <supportm...@microsoft.com> > > > > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT > > > > regression - TrackingID#2412190040009154 > > > > > > > > Hello Jeff, > > > > > > > > I uploaded the network traces to the file transfer link you provided: > > > > > > > > [00_ad2025.pcap] Network trace of a failing pre-authentication process > > > > with RSA/SHA-256 and RSA/SHA-512 as supportedCMSTypes. > > > > [00_ad2025_sha1.pcap] Network trace of a failing pre-authentication > > > > process with RSA/SHA-256, RSA/SHA-512, and RSA/SHA-1 as > > > > supportedCMSTypes. > > > > [00_ad2025.keytab] All Kerberos keys in the AD domain. > > > > > > > > [01_gp_pkinit_digest.png] Screenshot of the "Computer > > > > Configuration\Policies\Administrative Templates\System\KDC\Configure > > > > hash algorithms for certificate logon" global policy settings. > > > > [01_pkinit_ffdh_modp14.pcap] Network trace of a failing > > > > pre-authentication process for FFDH with MODP group 14 (2046-bit) and > > > > RSA/SHA-256 signature. > > > > [01_pkinit_ecdh_p256.pcap] Network trace for a successful > > > > pre-authentication process for ECDH with curve P-256 and RSA/SHA-256 > > > > signature. > > > > [01_ad2025.keytab] All Kerberos keys in the AD domain. > > > > > > > > My Microsoft account uses the present email address: jris...@redhat.com > > > > > > > > -- > > > > Julien Rische > > > > > > > > On Fri, Jan 3, 2025 at 9:12 PM Jeff McCashland (He/him) > > > > <je...@microsoft.com> wrote: > > > > > > > > > > Hello Julien and Alexander, > > > > > > > > > > Actually, what we need to troubleshoot this issue is to collect a TTD > > > > > trace of the LSASS process. In order to download the tool needed to > > > > > collect the trace, you will need a Microsoft account. These can be > > > > > created free at live.com. > > > > > > > > > > Please send me the Microsoft account email address you will use to > > > > > download the tools, and I will send the link. > > > > > > > > > > Best regards, > > > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft > > > > > Corporation > > > > > > > > > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: > > > > > (UTC-08:00) Pacific Time (US and Canada) > > > > > > > > > > Local country phone number found here: > > > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207823517%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=1PiscDfWY%2B87az9LPZNpdQzXoHcz3JgplrZ9xemyli0%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207832404%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=XAK8minB5NAenb08k%2BlPAvGmO%2BztMbNzzIWlJHjTkkk%3D&reserved=0><http://support.microsoft.com/globalenglish> > > > > > | Extension 1138300 > > > > > > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > From: Jeff McCashland (He/him) <je...@microsoft.com> > > > > > Sent: Friday, December 27, 2024 11:30 AM > > > > > To: Julien Rische <jris...@redhat.com>; Alexander Bokovoy > > > > > <a...@samba.org> > > > > > Cc: cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org>; > > > > > Microsoft Support <supportm...@microsoft.com> > > > > > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT > > > > > regression - TrackingID#2412190040009154 > > > > > > > > > > Hi Julien and Alexander, > > > > > > > > > > Alexander mentioned ad2025.pcap and ad2025_sha1.pcap, and Julien > > > > > mentioned 2 additional unnamed captures. > > > > > > > > > > Please upload any relevant traces to the link below, as we are not > > > > > allowed to accept files by email. Also, it would help if you could > > > > > specify which traces and frames relate to which aspects of your > > > > > question, that would save time. > > > > > > > > > > Also, it's not clear to me (yet), if the additional information from > > > > > Julien modifies or answers any part of Alexander's original question. > > > > > > > > > > Secure file link: > > > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Ffiles%3Fworkspace%3DeyJhbGciOiJSUzI1NiIsImtpZCI6IjgxMTA4NjE5MTQzMTQ1NTc0QUYxMjI3NjhGMEIzNDkyRkYyNTczNEYiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiNjgzMzc2YjUtNjczZC00ZGVkLTlmYzUtYjRiOTUzMmJmNzE4Iiwic3IiOiIyNDEyMTkwMDQwMDA5MTU0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiYjA0NWU2MDgtMWY3MC00OTE3LTk4MTAtZjA0OGJlNGVlODI2IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3MzUzMjc3NzAsImV4cCI6MTc0MzEwMzc3MCwiaWF0IjoxNzM1MzI3NzcwLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.d23KDsdUj68vCL0fEY2hpp2wjG65vYVtGh2E9Bu1mqT8YM-Q6bkewOhrHJbML0Fcr_ijDp89UMkAb0h70iCJCQojecjI8NPzgrkCm11GzScvTRcvJqyChhZ-9T731ZGSRV8wnxrrETLsuTjCo88_gAqRF3oBQdUuriBtI5z_xh-qUqrqcl-9q2nqxqhMzd3rA7Chkk5EMSRv5U1hnWhH5etJ-kUj8-HJB4eihMGPQ7NVPjCrVy04opSBf-XgkHjSsx_j_-q7EsbOR7ic3aWdEwZS5eppFpc4C4JMNpCauM4is23XWNoYwDZ9vP9CnyKPZfSMlF-5fC4k_4Q3KzcsNw%26wid%3D683376b5-673d-4ded-9fc5-b4b9532bf718&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207841104%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=KAIcdIY7TP3RHR5EktRzlicD1x3lk2BiAGbk%2BFhueGE%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Ffiles%3Fworkspace%3DeyJhbGciOiJSUzI1NiIsImtpZCI6IjgxMTA4NjE5MTQzMTQ1NTc0QUYxMjI3NjhGMEIzNDkyRkYyNTczNEYiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiNjgzMzc2YjUtNjczZC00ZGVkLTlmYzUtYjRiOTUzMmJmNzE4Iiwic3IiOiIyNDEyMTkwMDQwMDA5MTU0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiYjA0NWU2MDgtMWY3MC00OTE3LTk4MTAtZjA0OGJlNGVlODI2IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3MzUzMjc3NzAsImV4cCI6MTc0MzEwMzc3MCwiaWF0IjoxNzM1MzI3NzcwLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.d23KDsdUj68vCL0fEY2hpp2wjG65vYVtGh2E9Bu1mqT8YM-Q6bkewOhrHJbML0Fcr_ijDp89UMkAb0h70iCJCQojecjI8NPzgrkCm11GzScvTRcvJqyChhZ-9T731ZGSRV8wnxrrETLsuTjCo88_gAqRF3oBQdUuriBtI5z_xh-qUqrqcl-9q2nqxqhMzd3rA7Chkk5EMSRv5U1hnWhH5etJ-kUj8-HJB4eihMGPQ7NVPjCrVy04opSBf-XgkHjSsx_j_-q7EsbOR7ic3aWdEwZS5eppFpc4C4JMNpCauM4is23XWNoYwDZ9vP9CnyKPZfSMlF-5fC4k_4Q3KzcsNw%26wid%3D683376b5-673d-4ded-9fc5-b4b9532bf718&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207850389%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=zlzKLob0K7NMHT1VQA7GndSq6E8ZLZZxK3mw4W1jpnc%3D&reserved=0><https://support.microsoft.com/files?workspace=eyJhbGciOiJSUzI1NiIsImtpZCI6IjgxMTA4NjE5MTQzMTQ1NTc0QUYxMjI3NjhGMEIzNDkyRkYyNTczNEYiLCJ0eXAiOiJKV1QifQ.eyJ3c2lkIjoiNjgzMzc2YjUtNjczZC00ZGVkLTlmYzUtYjRiOTUzMmJmNzE4Iiwic3IiOiIyNDEyMTkwMDQwMDA5MTU0Iiwic3YiOiJ2MSIsInJzIjoiRXh0ZXJuYWwiLCJ3dGlkIjoiYjA0NWU2MDgtMWY3MC00OTE3LTk4MTAtZjA0OGJlNGVlODI2IiwiYXBwaWQiOiI0ZTc2ODkxZC04NDUwLTRlNWUtYmUzOC1lYTNiZDZlZjIxZTUiLCJuYmYiOjE3MzUzMjc3NzAsImV4cCI6MTc0MzEwMzc3MCwiaWF0IjoxNzM1MzI3NzcwLCJpc3MiOiJodHRwczovL2FwaS5kdG1uZWJ1bGEubWljcm9zb2Z0LmNvbSIsImF1ZCI6Imh0dHA6Ly9zbWMifQ.d23KDsdUj68vCL0fEY2hpp2wjG65vYVtGh2E9Bu1mqT8YM-Q6bkewOhrHJbML0Fcr_ijDp89UMkAb0h70iCJCQojecjI8NPzgrkCm11GzScvTRcvJqyChhZ-9T731ZGSRV8wnxrrETLsuTjCo88_gAqRF3oBQdUuriBtI5z_xh-qUqrqcl-9q2nqxqhMzd3rA7Chkk5EMSRv5U1hnWhH5etJ-kUj8-HJB4eihMGPQ7NVPjCrVy04opSBf-XgkHjSsx_j_-q7EsbOR7ic3aWdEwZS5eppFpc4C4JMNpCauM4is23XWNoYwDZ9vP9CnyKPZfSMlF-5fC4k_4Q3KzcsNw&wid=683376b5-673d-4ded-9fc5-b4b9532bf718> > > > > > > > > > > Best regards, > > > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft > > > > > Corporation > > > > > > > > > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: > > > > > (UTC-08:00) Pacific Time (US and Canada) > > > > > > > > > > Local country phone number found here: > > > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207859008%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=wJ7XCO25XB7%2BZESg9egE9W%2B2y1wX9JvtmXaBYa830Cg%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207867197%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=%2F%2FJPdlw6l9Oqx%2BVOSbRk2LwKjNjaXkDEd9gXuJsAMrQ%3D&reserved=0><http://support.microsoft.com/globalenglish> > > > > > | Extension 1138300 > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > From: Jeff McCashland (He/him) <je...@microsoft.com> > > > > > Sent: Monday, December 23, 2024 8:29 PM > > > > > To: Julien Rische <jris...@redhat.com> > > > > > Cc: cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org>; > > > > > Alexander Bokovoy <a...@samba.org>; Microsoft Support > > > > > <supportm...@microsoft.com> > > > > > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT > > > > > regression - TrackingID#2412190040009154 > > > > > > > > > > [Kristian to BCC] > > > > > > > > > > Hi Julien, > > > > > > > > > > I will investigate your question, and get back to you. I am out the > > > > > next 2 days for holiday, back on Thursday. > > > > > > > > > > > > > > > Best regards, > > > > > Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft > > > > > Corporation > > > > > > > > > > Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: > > > > > (UTC-08:00) Pacific Time (US and Canada) > > > > > > > > > > Local country phone number found here: > > > > > https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207875356%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=F3EXlCTksUZ0%2FSKbohC1%2B0DA1gZ7iAMuI8f%2FrNooE5Y%3D&reserved=0<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsupport.microsoft.com%2Fglobalenglish&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207883536%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=7QAcEpA1gPh3TujYJYC%2FvzS2jTXe7MBNtrj%2FUcSYroI%3D&reserved=0><http://support.microsoft.com/globalenglish> > > > > > | Extension 1138300 > > > > > > > > > > > > > > > > > > > > ________________________________ > > > > > From: Kristian Smith <kristian.sm...@microsoft.com> > > > > > Sent: Monday, December 23, 2024 1:31 PM > > > > > To: Julien Rische <jris...@redhat.com>; Jeff McCashland (He/him) > > > > > <je...@microsoft.com> > > > > > Cc: cifs-protocol@lists.samba.org <cifs-protocol@lists.samba.org>; > > > > > Alexander Bokovoy <a...@samba.org>; Microsoft Support > > > > > <supportm...@microsoft.com> > > > > > Subject: RE: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT > > > > > regression - TrackingID#2412190040009154 > > > > > > > > > > [Mike to Bcc, adding Jeff]] > > > > > Hi Julien, > > > > > > > > > > Thanks for the information. Also, after some workload adjustments, > > > > > @Jeff McCashland will be working on your case moving forward. > > > > > > > > > > Apologies for the confusion. > > > > > > > > > > Regards, > > > > > Kristian Smith > > > > > Support Escalation Engineer | Microsoft® Corporation > > > > > Email: kristian.sm...@microsoft.com > > > > > > > > > > -----Original Message----- > > > > > From: Michael Bowen <mike.bo...@microsoft.com> > > > > > Sent: Monday, December 23, 2024 10:05 AM > > > > > To: Julien Rische <jris...@redhat.com>; Kristian Smith > > > > > <kristian.sm...@microsoft.com> > > > > > Cc: Alexander Bokovoy <a...@samba.org>; > > > > > cifs-protocol@lists.samba.org; Microsoft Support > > > > > <supportm...@microsoft.com> > > > > > Subject: RE: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT > > > > > regression - TrackingID#2412190040009154 > > > > > > > > > > Hi Julien, > > > > > > > > > > Thanks for the update. @Kristian Smith is handling your case, so I'm > > > > > forwarding this to him to help him with your issue. Happy Holidays! > > > > > > > > > > - Michael > > > > > > > > > > -----Original Message----- > > > > > From: Julien Rische <jris...@redhat.com> > > > > > Sent: Monday, December 23, 2024 5:32 AM > > > > > To: Michael Bowen <mike.bo...@microsoft.com> > > > > > Cc: Alexander Bokovoy <a...@samba.org>; > > > > > cifs-protocol@lists.samba.org; Microsoft Support > > > > > <supportm...@microsoft.com> > > > > > Subject: Re: [cifs-protocol] [EXTERNAL] Windows Server 2025 PKINIT > > > > > regression - TrackingID#2412190040009154 > > > > > > > > > > [You don't often get email from jris...@redhat.com. Learn why this is > > > > > important at https://aka.ms/LearnAboutSenderIdentification ] > > > > > > > > > > Hello Michael, > > > > > > > > > > It has come to our attention that Windows Server 2025 now has support > > > > > for allowing and disallowing digest algorithms in PKINIT. We made > > > > > some tests by modifying the "Computer > > > > > Configuration\Policies\Administrative > > > > > Templates\System\KDC\Configure hash algorithms for certificate logon". > > > > > > > > > > This configuration seems to take effect, because disallowing SHA-256 > > > > > causes elliptic curve Diffie-Hellman to fail. However, allowing all > > > > > SHA versions does not fix the problem when using finite field > > > > > Diffie-Hellman. > > > > > > > > > > In attachment, you will find 2 network traces showing a successful > > > > > pre-authentication process for ECDH with curve P-256 and RSA/SHA-256 > > > > > signature, and a failing one for FFDH with MODP group 14 (2046-bit) > > > > > and RSA/SHA-256 signature. In both cases all SHA versions are allowed > > > > > in the above group policy. > > > > > > > > > > -- > > > > > Julien Rische > > > > > > > > > > > > > > > On Thu, Dec 19, 2024 at 5:33 PM Michael Bowen via cifs-protocol > > > > > <cifs-protocol@lists.samba.org> wrote: > > > > > > > > > > > > [DocHelp to bcc] > > > > > > > > > > > > Hi Alexander, > > > > > > > > > > > > Thanks for your question about Windows Server 2025 and Kerberos. > > > > > > I've created case number 2412190040009154 to track this issue, > > > > > > please leave the number in the subject line when communicating with > > > > > > our team. One of our engineers will contact you soon. > > > > > > > > > > > > Best regards, > > > > > > Michael Bowen > > > > > > Sr. Escalation Engineer - Microsoft® Corporation > > > > > > > > > > > > -----Original Message----- > > > > > > From: Alexander Bokovoy <a...@samba.org> > > > > > > Sent: Thursday, December 19, 2024 4:26 AM > > > > > > To: Interoperability Documentation Help <doch...@microsoft.com> > > > > > > Cc: cifs-protocol@lists.samba.org > > > > > > Subject: [EXTERNAL] Windows Server 2025 PKINIT regression > > > > > > > > > > > > [Some people who received this message don't often get email from > > > > > > a...@samba.org. Learn why this is important at > > > > > > https://aka.ms/LearnAboutSenderIdentification ] > > > > > > > > > > > > Hi Dochelp, > > > > > > > > > > > > I believe we are seeing a regression in how Windows Server 2025 > > > > > > handles Kerberos PKINIT, probably due to algorithm agility rewrite. > > > > > > > > > > > > Sometime ago we have updated MIT Kerberos implementation of PKINIT > > > > > > to use sha256WithRSAEncryption in supported CMS types and removed > > > > > > sha1WithRSAEncryption to be able compliant with FIPS 140-3. > > > > > > > > > > > > The commit > > > > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgith%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207892049%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=OiZVCqfWvpmfd1bUf23KuUph1cvF8UvyumZ%2FRhS9oRQ%3D&reserved=0<https://gith/><https://gith/> > > > > > > %2F&data=05%7C02%7CKristian.Smith%40microsoft.com%7Ccc530a51018e45fbf1 > > > > > > b108dd237c4865%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6387057388 > > > > > > 76787487%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuM > > > > > > DAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&s > > > > > > data=vvBUg7U6QcAQSKEUYyCOQ1A78VoSp5eDylGA9lRz0zI%3D&reserved=0 > > > > > > ub.com%2Fkrb5%2Fkrb5%2Fcommit%2Fcbfe46ce20f3e9265baa9c648390148c739ab8 > > > > > > 30&data=05%7C02%7Cmike.bowen%40microsoft.com%7C6c48431e145e4de8500c08d > > > > > > d23562d38%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638705575372721 > > > > > > 071%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMC > > > > > > IsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata= > > > > > > BKt0Ke6K6mn1ONoQTBrHhhybs8HASTsXpFQC4qPKjKo%3D&reserved=0 > > > > > > is part of MIT Kerberos 1.20 or later releases. > > > > > > > > > > > > This change worked well for Windows Server versions prior to > > > > > > Windows Server 2025 release. With Windows Server 2025, the request > > > > > > is rejected (packet 8 from ad2025.pcap in attached archive): > > > > > > > > > > > > Kerberos > > > > > > Record Mark: 106 bytes > > > > > > 0... .... .... .... .... .... .... .... = Reserved: Not set > > > > > > .000 0000 0000 0000 0000 0000 0110 1010 = Record Length: 106 > > > > > > krb-error > > > > > > pvno: 5 > > > > > > msg-type: krb-error (30) > > > > > > stime: Dec 18, 2024 15:22:36.000000000 CET > > > > > > susec: 926640 > > > > > > error-code: Unknown (79) > > > > > > realm: WIN2025-UO83.TEST > > > > > > sname > > > > > > name-type: kRB5-NT-SRV-INST (2) > > > > > > sname-string: 2 items > > > > > > SNameString: krbtgt > > > > > > SNameString: WIN2025-UO83.TEST > > > > > > > > > > > > > > > > > > We built a custom version of MIT Kerberos which adds both > > > > > > sha256WithRSAEncryption and sha1WithRSAEncryption to the list of > > > > > > supported CMS types and still signed with sha256WithRSAEncryption, > > > > > > it failed again. The corresponding packet exchange can be seen in > > > > > > ad2025_sha1.pcap in the attached archive. > > > > > > > > > > > > Both variants work against Windows Server 2019, so to us this looks > > > > > > like a regression in Windows Server 2025 implementation. > > > > > > > > > > > > If this is not a regression and instead it is an intentional > > > > > > change, could you please make sure MS-PKCA and other corresponding > > > > > > documents get updated with a proper logic of the changes. > > > > > > > > > > > > -- > > > > > > / Alexander Bokovoy > > > > > > > > > > > > _______________________________________________ > > > > > > cifs-protocol mailing list > > > > > > cifs-protocol@lists.samba.org > > > > > > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist%2F&data=05%7C02%7Cjeffm%40microsoft.com%7Cd7b8dd80695e422f007708dd6084ad2c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638772845207900703%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=S%2BsEtYGVTpFzstNYILtTqlakrOswCT8%2BuWGOG8SBWYM%3D&reserved=0<https://list/><https://list/> > > > > > > %2F&data=05%7C02%7CKristian.Smith%40microsoft.com%7Ccc530a51018e45fbf1 > > > > > > b108dd237c4865%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C6387057388 > > > > > > 76806372%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuM > > > > > > DAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&s > > > > > > data=0Qe6AszCxK%2BkbB47AYraNMeMmtEj88GZtfXvR5jNs1I%3D&reserved=0 > > > > > > s.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C02%7Cmike.b > > > > > > owen%40microsoft.com%7C6c48431e145e4de8500c08dd23562d38%7C72f988bf86f1 > > > > > > 41af91ab2d7cd011db47%7C1%7C0%7C638705575372737510%7CUnknown%7CTWFpbGZs > > > > > > b3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIj > > > > > > oiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=JoGoaTxJzMm7ljVciNww4Tdd > > > > > > UpV9bcqS3whR%2F8JTLVA%3D&reserved=0 > > > > > > > > > > > > > > > > > > > -- > > / Alexander Bokovoy
_______________________________________________ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol
