Hello Sreekanth and others,
currently I don't have time to follow up on all other questions, but this one
is actually important.
I would hope that you might forward to the product team.
As it would be extremely useful if windows clients could be changed in order to
avoid logging Event ID:
Am 12.04.24 um 19:59 schrieb Jeff McCashland (He/him) via cifs-protocol:
Hi Andrew,
Also, our security updates team would like to talk with you about the changes.
Do you have some availability next week to meet? Teams or Zoom?
I'd like to participate...
metze
Hi Jeff,
I hope to find the time to collect the required stuff.
In addition to the traces below, could you also upload any Events from the appropriate time
range? > In Event Viewer, navigate to Application and Services Logs > Microsoft >
Windows > SMBWitnessSService (from the cluster), and
Hi Jeff,
We have updated [MS-LSAD] for the next release to address this issue:
2.2.7.29 LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES
The LSAPR_TRUSTED_DOMAIN_AUTH_INFORMATION_INTERNAL_AES structure communicates
authentication material. The cleartext password data is in the form of a
Am 11.12.23 um 22:15 schrieb Kristian Smith:
Hi Metze,
I'm reaching out with regard to question 10 from your mail below.
-
Question 10:
MS-SWM 3.1.6.1 Server Application Notifies of an
Hi Sreekanth,
section "3.3.5.9.10 Handling the SMB2_CREATE_DURABLE_HANDLE_REQUEST_V2 Create
Context" has following text
If the SMB2_DHANDLE_FLAG_PERSISTENT bit is set in the Flags field of the
request, TreeConnect.Share.IsCA is TRUE, and Connection.ServerCapabilities
includes
Hi Kristian,
With regard to your 11th question (quoted below), I've done code research and
the server only compares against one ServerGlobalName, but it does strip the
domain of the client-provided cluster netname when making the comparison to the
value present on the server. This would make
Hi Jeff,
I didn't see a response to my previous request. It's not clear to us what you
are looking for here. Having a single netname for multiple nodes sounds similar
to a SOFS configuration. We use DNS to enumerate the IP addresses.
Windows uses witness for the following:
- If
Hello Sreekanth,
below is the answer to your question #6. Let me know your thoughts.
Thanks for the response!
Please note that section 3.2.4.3.5 did not say MUST. It only uses SHOULD. Also,
the wording of the section does NOT imply that when requesting durable handle,
one cannot request
Hi Kristian,
As I haven't heard anything back from you on question 11 from last month, I'll
move forward with the closure of this case.
If you have any follow-up questions feel free to reach out and I'd be happy to
look into it.
I was out of office for a while. I'll noticed the responses,
Hi Jeff,
I'm looking into your question on:
Question 7:
The above section is the only place in the whole documentation that references
SMB2_SHARE_CAP_SCALEOUT, is that really correct?
I have not found other references to this bit. Could you provide more context
on your question? Is there
Hi Sreekanth,
can we please keep cifs-protocol@lists.samba.org cc'ed?
in your question #3 below, are you saying that client requests for witness
registration occurs as long as the capability bits
SMB2_SHARE_CAP_CONTINUOUS_AVAILABILITY and SMB2_SHARE_CAP_CLUSTER are set ?
In that case which
Hi DocHelp,
I'm currently implementing MS-SWN for samba
in order to allow clients to move to a different
network interface or cluster node if a specific interface
or a complete cluster node gets offline.
In a Samba cluster we have multiple nodes, but just a single netname for all of
them, so
Am 28.09.23 um 16:19 schrieb Stefan Metzmacher via cifs-protocol:
Hi DocHelp,
I'm trying to connect to a server with LdapEnforceChannelBinding=2
and can't get it working.
MS-NLMP specifies ClientChannelBindingsUnhashed and
ServerChannelBindingsUnhashed
as input from the application.
MS-ADTS
Hi DocHelp,
I'm trying to connect to a server with LdapEnforceChannelBinding=2
and can't get it working.
MS-NLMP specifies ClientChannelBindingsUnhashed and
ServerChannelBindingsUnhashed
as input from the application.
MS-ADTS 5.1.2.2 Using SSL/TLS specifies that "tls-server-endpoint"
channel
Hi Jeff,
We have updated [MS-NRPC] for the next release to address this issue. We have
added the following Behavior Note to section 3.5.4.4.10:
<197> Section 3.5.4.4.10: Windows RPC layer may return its own error code
instead of STATUS_INVALID_LEVEL. The error code that a client gets depends
Hi Jeff,
As I mentioned in the thread for the other issue, the updates have been
published in an Errata document for later inclusion in [MS-NRPC]:
Windows Protocols Errata: [MS-NRPC]: Netlogon Remote Protocol
Am 25.07.22 um 23:37 schrieb Andrew Bartlett:
On Mon, 2022-07-25 at 16:55 +0200, Stefan Metzmacher via cifs-protocol
wrote:
Ok, at this point we managed to get it working by removing the
BCKUPKEY_PREFERRED (symlink),
which means a new public key pair with a new certificate was
generated
Hi Jeff,
The registry entry to restore the default behavior is:
[HKLM\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]EnableWeakCryptography
= 0x1
Thanks!
Note that the plan is at some point this will go away, as will the ability to
restore the
Hi Dochelp,
I'm currently debugging a problem where client seem to have problems with our
MS-BKRP implementation.
I found the following:
<18> Section 3.2.4.1: The process of falling back to server-side wrapping using the BACKUPKEY_BACKUP_GUID when retrieval of the server's public key fails
Hi Jeff,
that means that a service that tries to use S4U2Self always need to get a fresh
TGT from the KDC
it will send the S4U2Self request to?
Otherwise I can't see how the usage of an RODC would be transparent for the
service.
metze
Am 08.04.22 um 18:12 schrieb Jeff McCashland (He/him)
Am 24.11.21 um 10:33 schrieb Alexander Bokovoy via cifs-protocol:
> Hello dochelp,
>
> I can see inconsistency in what is published on
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/
> with regards to the changes introduced as a part of the Microsoft
> Windows security
Hi Dochelp,
I want to clarify unexpected behavior (which is also not documented)
of Windows server regarding the replay of SMB2 Create operations.
From our https://bugzilla.samba.org/show_bug.cgi?id=14449:
I think I basically know now how the create replay detection is supposed
to work with
Am 27.04.21 um 11:38 schrieb Andrew Bartlett:
> On Tue, 2021-04-27 at 10:18 +0200, Stefan Metzmacher via cifs-protocol
> wrote:
>>
>>
>> I uploaded the captures here:
>> https://www.samba.org/~metze/presentations/2020/SambaXP/captures/fast/
>> I guess
Am 27.04.21 um 08:31 schrieb Stefan Metzmacher via cifs-protocol:
> Hi Andrew,
>
> I think I looked at this document:
> https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831747(v=ws.11)
>
> It talks about the "KDC suppo
Hi Andrew,
I think I looked at this document:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831747(v=ws.11)
It talks about the "KDC support for claims, compound authentication, and
Kerberos armoring KDC"
and "Kerberos client support for
Hi DocHelp,
can you please make sure the exact behavior of
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection
= 1
is fully documented in MS-NRPC?
This is the change introduced by CVE-2020-1472.
Thanks!
metze
signature.asc
Description: OpenPGP digital
Am 06.08.20 um 10:53 schrieb Stefan Metzmacher:
> Am 04.08.20 um 21:27 schrieb Stefan Metzmacher:
>> Am 04.08.20 um 12:37 schrieb Stefan Metzmacher via cifs-protocol:
>>> Hi Bryan,
>>>
>>>> Thank you for the question. We created SR 120080321001822
Am 04.08.20 um 21:27 schrieb Stefan Metzmacher:
> Am 04.08.20 um 12:37 schrieb Stefan Metzmacher via cifs-protocol:
>> Hi Bryan,
>>
>>> Thank you for the question. We created SR 120080321001822 To track this
>>> issue. An engineer will contact you soon
Am 04.08.20 um 12:37 schrieb Stefan Metzmacher via cifs-protocol:
> Hi Bryan,
>
>> Thank you for the question. We created SR 120080321001822 To track this
>> issue. An engineer will contact you soon.
>
> Thanks! Note the lifetime of the krb5 service tickets seems to b
Hi Bryan,
> Thank you for the question. We created SR 120080321001822 To track this
> issue. An engineer will contact you soon.
Thanks! Note the lifetime of the krb5 service tickets seems to be 1
hour, maybe that's related.
For SMB2 connections there's also a relationship to the lifetime of
Hi DocHelp,
I just debugged a problem where a Windows AD DC send the following
message after exactly 1 hour:
LDAPMessage extendedResp(0) (The server has timed out this connection)
messageID: 0
protocolOp: extendedResp (24)
extendedResp
resultCode: unavailable (52)
Hi DocHelp,
we have customers trying to use Azure AD connect to sync their Samba DC
with Azure.
It works in general, but they report that changed passwords in Samba are
not replicated (at least not in a timely manner). Doing a manual
replication works.
The following page talks about
"password
Hi Edgar,
we discussed the topic in Redmond...
Even Windows Server 2019 only implements lock sequence checking only
for resilient and persistent handles as a server.
While its client side uses lock sequence checking if it negotiated
multichannel with the server.
[MS-SMB2] 3.3.5.14 Receiving an
Hi Aurélien,
> I have not done thorough testing but it seems to be working ok so
> far. I've added support for it in wireshark [1].
>
>> Can you extent this thread to doch...@microsoft.com
>> (and still cc: cifs-protocol@lists.samba.org)
>
> Sure. I will start a new thread with the new info.
>
Hi Obaid,
> I'll help you with this issue and will be in touch as soon as I have an
> answer.
Thanks! Please note that the request from Andreas, 119040819792364
is just the same, I just posted additional information...
metze
signature.asc
Description: OpenPGP digital signature
Hi,
> I got the two scenarios authenticated DCERPC connection over SMB (named pipe)
> and TCP/IP working with krb5, speneg or ntlmssp authentication type and an
> authentication level set to PRIVACY (seal) if I use the fixed string
> "SystemLibraryDTC" as the session key!
>
> Could you please
Hi DocHelp,
I had the situation where a Windows 2012 DC returns
NT_STATUS_ACCESS_DENIED for all NetrLogonSamLogonEx requests.
I finally managed to find that the DC didn't provide SYSVOL and NETLOGON
shares, this led to checking the SYSVOLReady key and it was 0.
(Under
Hi DocHelp,
I just found the existence of Primary:NTLM-Strong-NTOWF
in [MS-SAMR]. While there's documentation how the content looks
like there's no information when a DC should add this to
supplementalCredentials and where its value is later used.
What highlevel feature in Windows Server 2016 is
Hi Sreekanth,
sorry for the long delay.
The difference I see is that you're doing this as administrator.
I'm talking about validated-writes done by an account on it's own
computer object. And that's what [MS-ADTS] 3.1.1.5.3.1.1.4
servicePrincipalName
about, also see the parent section
40 matches
Mail list logo
