Hi, Andrew,
In our last conference call, we talked about your question regarding which
of the numerous keys Kerberos produce is considered the 'SMB session key'. I
had discussions with the product team to find what or how should be documented.
You mentioned that you would like to see the document to specify which GSSAPI
call returns the session key. They would like to have a little more
background information, which you already talked about a little bit during our
conversation. I just want to confirm so I can pass it accurately to product
team.
What do you mean by GSSAPI with CFX ? Do you mean the mechanism conforming
to RFC 4121 ?
What implementation are you using for GSSAPI with CFX in Vista ? Is it
Heimdal's implementation ?
What is your expectation about how this detail should be included in the
document ? Do you expect it to associate with specific GSSAPI calls?
I hope that with the information we can have a resolution soon. Thanks for
your patience.
Thanks
--
Hongwei Sun - Support Escalation Engineer
DSC Protocol Team, Microsoft
[EMAIL PROTECTED]
Tel: 469-7757027 x 57027
---
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Bartlett
Sent: Wednesday, July 23, 2008 12:58 AM
To: Interoperability Documentation Help
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [cifs-protocol] Session keys are not always 16 bytes long
I'm looking for correction assistance regarding SMB session keys.
Our tests show that the session keys, referred consistently in MS-SMB and
MS-SAMR as 16 byte quantities are not a simple as they are made out to be.
For example, a Windows Vista SP1 client using GSSAPI with CFX will negotiate an
AES session key with Samba4. This is 32 bytes long, and all 32 bytes are
required to satisfy the SMB signing between Vista SP1 and Samba4. (despite
MS-SMB 4.3 talking about a 16 bytes key).
Similarly, our tests have shown that for DES kerberos, an 8 byte key is used.
However, further in on the domain join, Samr password set operations are made.
There similarly we have observed 8 bytes kerberos keys in the past, but testing
shows that for the 32 byte key from the Vista join, the key must be truncated
to 16 bytes. (See MS-SAMR 3.1.2.2).
Please correct the documentation to clearly specify when the variable-length
key is used (perhaps make it clear that it is usually, but not always 16
bytes), and when a truncated key is used.
Furthermore, please clarify the linkage between MS-SAMR, MS-SMB and MS-KILE
regarding session keys. I can't find a clear reference as to which of the
numerous keys kerberos produces is considered the 'SMB session key'. Is it not
possible to include section numbers in the document cross-references?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
___
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol