-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jeremy Allison schrieb:
> which is incorrect. Now that's easy to fix, but
> the problem is when the client is in unix extensions
> posix pathname mode and accesses a DFS share which
> needs to reply with a redirect of :
>
> "\server\share\home/userlus
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
> I thought of this, h. I originally thought
> this would be difficult to tell from an ordinary
> pathname, but you always get the DFS flag bit
> set on that name
>
> This would work for the incoming pathname, but
> outgoing redirect paths sti
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jeremy Allison schrieb:
> On Sun, Mar 11, 2007 at 12:14:48AM +0100, Stefan (metze) Metzmacher wrote:
>> can't we out that logic into the client, so when the client
>> get the redirect from a server with unix extentions then
>>
[EMAIL PROTECTED] schrieb:
> Hi Sebastian,
>
> I got an updated MS-SMB2 spec from Thomas today at the plugfest, and
> it gave the corrected SMB2 signing algorithm. I tried it this evening
> and it works fine against w2008. So you can consider this one closed
> (apart from ensuring the public MS-SM
Hi,
I have some questions regarding the behavior or EXOP_REPL_OBJ
in IDL_DRSGetNCChanges(), using this against windows 2003
just cause the server to return an empty object list.
Is that extended operation new in windows 2008? If so please
make that a bit more clear and document the expected behav
Hi,
I was testing the behavior of the pPartialAttrSet and pPartialAttrSetEx
members of DRS_MSG_GETCHGREQ_V8.
Please document what the difference between two is!
Is it necessary to pass the PrefixTableDest, when passing
pPartialAttrSet and/or pPartialAttrSet? What happens when the
PrefixTableDest
Andrew Bartlett schrieb:
> On Fri, 2008-07-25 at 11:43 -0700, Richard Guthrie wrote:
>> Andrew,
>>
>> I will be working to resolve your issue. Would it be possible to have you
>> capture and send us a network trace that captures the behavior you are
>> seeing?
Some comments about stuff I found
Stefan (metze) Metzmacher schrieb:
> Andrew Bartlett schrieb:
>> On Fri, 2008-07-25 at 11:43 -0700, Richard Guthrie wrote:
>>> Andrew,
>>>
>>> I will be working to resolve your issue. Would it be possible to have you
>>> capture and send us a net
Andrew Bartlett schrieb:
> I am requesting correction assistance regarding trusted domain objects:
>
> What is the relationship between the trusted domain object under
> cn=users,... and that under cn=system,...?
>
> The documentation in MS-ADTS 7.1.6 does not seen to cover the 'user'
> type obje
Hongwei,
>The encryption function in Kerberos is described in details in 5.3
> [RFC3961] (http://www.ietf.org/rfc/rfc3961.txt), which is referenced by
> [MS-KILE].
> I can summarize as follows
>
> * "conf" is actually a random confounder prefix of length c ,such as
> 16.
>
Hongwei Sun schrieb:
> Andrew,
>
>
>
>The encryption function in Kerberos is described in details in 5.3
> [RFC3961] (http://www.ietf.org/rfc/rfc3961.txt), which is referenced by
> [MS-KILE].
>
>
>
> I can summarize as follows
>
>
>
> * "conf" is actually a random confo
I just found that the session key used to decrypt the password
attributes in the DsGetNCChanges() is not truncated.
And I need to use gsskrb5_get_subkey() instead of
gsskrb5_get_initiator_subkey(), when aes keys are used.
metze
>>In our last conference call, we talked about your question
>> re
Andrew Bartlett schrieb:
> The documentation in MS-KILE 3.4.5.1 on DCE_STYLE is very terse, and
> fails to clarify a few points, one of which is preventing
> interoperability with Windows Vista.
>
> The client MUST generate an additional AP reply message exactly as the
> server would ([RFC4120]
e're Hiring
> http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted
>
>
> -Original Message-
> From: Stefan (metze) Metzmacher [mailto:[EMAIL PROTECTED]
> Sent: Thursda
Hongwei,
>For your SMB signing problem shown in the network traces attached, what
> is your configuration ? Are you using Vista client connecting to Samba
> server and KDC ?You also mentioned windows servers. How are they used in
> your configuration ? I just want to make sure we
Hongwei Sun schrieb:
> Metze/Andrew,
>
> The subkey in the EncAPRepPart of the AP-REP should be used as the session
> key when the mutual authentication is enabled(as described in RFC 4121).
> When DES and RC4 are used in Kerberos, the implementation is based on RFC1964
> (instead of RFC41
Andrew Bartlett schrieb:
> On Fri, 2008-09-05 at 22:25 +0200, Stefan (metze) Metzmacher wrote:
>> Hongwei Sun schrieb:
>>> Metze/Andrew,
>>>
>>> The subkey in the EncAPRepPart of the AP-REP should be used as the
>>> session key when the mutual
Andrew Bartlett schrieb:
> How do I determine what LDAP values a Microsoft client tool is expecting?
>
> For example, with the attached patch against current GIT, I cannot make
> windows 2008 join Samba4 as a 2-way, forest level trusted domain. It
> seems something is wrong with what we return t
Richard Guthrie schrieb:
> Andrew,
>
> If you have a windows 2008 server acting as a member server in a downlevel
> domain (for this discussion we will assume 2003 functional level), this
> attribute will only exist if you extend the schema to a level that is
> compatible with 2008 functional l
Hongwei Sun schrieb:
> Andrew,
>
>
>
> We ran Smbtortue RPC-PAC testing on windows 2008 DC and got the following
> output.
>
>
>
> [EMAIL PROTECTED] source]# bin/smbtorture -k yes //VM-W2K8.nick.com/public
> RPC-PAC Using seed 1220896649 Running PAC Password for [NICKDOM\root]:
>
> Doma
Hi Darryl,
> As we discussed, you recommended that Stefan review the RPC issue below
> identified during initial test results from a few test scenarios.As noted
> by the test suite developer below, this required the test suite to bind w/o
> the UUID.
could you please send me that network c
fy its signature after when the
correct session key is avaliable.
metze
>
>
> -Original Message-
> From: Stefan (metze) Metzmacher [mailto:[EMAIL PROTECTED]
> Sent: Friday, September 05, 2008 3:25 PM
> To: Hongwei Sun
> Cc: Andrew Bartlett; [EMAIL PROTECTED]; [EMA
No, I still believe that all 32 bytes of the session key are needed.
metze
> Thanks !
>
> Hongwei
>
> -Original Message-----
> From: Stefan (metze) Metzmacher [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, September 17, 2008 10:57 AM
> To: Hongwei Sun
> Cc: Andrew Bartle
Hi Richard,
> Thanks for working with us in the lab on this to find the root cause.
Thanks for the great time in the lab!
> The root cause was determined to be a bug in the Samba test code related to
> header signing when SpNegotiate was used. Please let us know if there are
> any further que
Hi Hongwei,
> We finished adding an example for GSS_WrapEx with
> AES128-CTS-HMAC-SHA1-96 in [MS-KILE]. The attached PDF document is the
> newly added section(4.3) of the [MS-KILE] document.
>
> We really appreciate your suggestion. Please let us know if you have
> further questions regardin
Hi Tom,
the cifs-protocol mailing list is for technical discussions about
protocol details, please use [EMAIL PROTECTED] for samba related
user questions.
metze
> I would like to use Samba to share the /home directory from one machine
> to another. So, I need the following to work:
>
> 1. In
microsoft.com
> Tel: 469-7757027 x 57027
> ---
>
>
>
>
>
> -Original Message-
> From: Hongwei Sun
> Sent: Tuesday, December 30, 2008 10:26 AM
> To: 'Stefan (metze) Metzmacher'
> Cc: Andrew Bartlett; p...@tridgell.net; cifs-proto...@samba.org
>
e
> -Original Message-
> From: cifs-protocol-bounces+neilm=thetestplace.co...@cifs.org
> [mailto:cifs-protocol-bounces+neilm=thetestplace.co...@cifs.org] On Behalf
> Of Stefan (metze) Metzmacher
> Sent: Wednesday, July 08, 2009 9:22 AM
> To: Edgar Olougouna
> Cc:
> subscribing to the "e-Newsletter - Microsoft Open Protocols" at
> http://www.microsoft.com/protocols/e-newsletter/.
Thanks, I understand how it's supposed to work now.
metze
> Best regards,
> Edgar A. Olougouna
> Sr. SEE, Microsoft DSC Protocol Team
>
>
Hi,
I got a draft for preview of the MS-RAIW document last december.
I'm wondering when this will appear in the WSPP docs.
metze
signature.asc
Description: OpenPGP digital signature
___
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists
me, that's not documented in detail.
But it's good to have the [MS-RAIW] public is much better than nothing.
metze
> -Original Message-
> From: Sebastian Canevari
> Sent: Thursday, July 30, 2009 4:23 PM
> To: Stefan (metze) Metzmacher; Interoperability Documentatio
Hi,
I'm currently trying to implement the AES based Netlogon Secure Channel
in Samba.
But the documentation is not really clear about the used algorithms.
I have started with the implementation here:
http://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-schannel
And her
Thanks, as it seems I compute the session key correct, this is the place
(netlogon_creds_step_crypt()) where I have a bug, because I'm getting
access denied when I try DCERPC_SCHANNEL_AES against a w2k8r2rc server.
metze
>
> -Original Message-
>
> From: Stefan (metze) Me
Stefan (metze) Metzmacher schrieb:
> Hongwei,
>
>> The SharedSecret used for AES session key computation, as described in
>> 3.1.4.3 MS-NRPC , should be the NTOWF (MD4(UNICODE(Passwd))) of the
>> plaintext password. The section 3.1.1 of MS-NRPC explains what a
>
problem in the document. Meanwhile, I
> will work on the AES encryption details for Schannel.
Thanks!
metze
> -Original Message-
> From: Stefan (metze) Metzmacher [mailto:me...@samba.org]
> Sent: Friday, August 28, 2009 12:00 PM
> To: Hongwei Sun
> Cc: p...@tridgell.
gt; Thanks!
>
> Hongwei
>
> -Original Message-
> From: Stefan (metze) Metzmacher [mailto:me...@samba.org]
> Sent: Wednesday, August 26, 2009 12:15 AM
> To: Hongwei Sun
> Cc: p...@tridgell.net; cifs-proto...@samba.org
> Subject: Re: MS-NRPC: AES Schannel
Hi,
>> We confirmed that AesCrypt follows the normative reference of [FIPS197]
>> (http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf). As far
>> as the statement about AES128 encryption CFB mode, we also confirmed that
>> we do use 0 as Initialize Vector(IV), so in this case
Hi Hongwei,
>I think that Nick already informed you that AES 128 with 8 bit CFB mode
> has to be used. I filed a request to add the information into 3.1.4.4 of
> MS-NRPC. I also noticed that in mxnrpc.c you attached , you used
> AES_cfb128_encrypt() (128 bit CFB mode) for computing serve
Hongwei,
>We just found that there is a problem with the logic in step 9 of
> 3.3.4.2.1 (Generating an Initial Netlogon Signature Token) and step 5 of
> 3.3.4.2.2 (Receiving an Initial Netlogon Signature Token). When we encrypt
> or decrypt SequenceNumber, the IV is actually the concatena
Hi,
I'm trying to solve the following problem:
COMPUTERS-DOM has an outgoing forest trust to USERS-DOM.
Samba as a member server in COMPUTERS-DOM want to get
fully expanded group memberships of user USERS-DOM\Administrator
without knowing the password of USERS-DOM\Administrator.
(The best would
Hi Edgar,
> I am looking into this and will update you on my progress.
Any updates?
metze
signature.asc
Description: OpenPGP digital signature
___
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protoc
rd Padding field description
> incorrect
>
>
> Regards,
> Bill Wesse
> MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
> 8055 Microsoft Way
> Charlotte, NC 28273
> Email:bil...@microsoft.com
> Tel: +1(980) 776-8200
> Cell: +1(704
formation.
Microsoft Windows Server 2008 Standard
6.0.6001 Service Pack 1 Build 6001
It's the 32-Bit Version.
metze
> Best regards,
>
> Edgar
>
>
> -Original Message-
> From: Edgar Olougouna
> Sent: Monday, February 01, 2010 9:39 AM
> To: Stefan (metze)
n Windows-based WINS
> replication partners.
I'll try to produce it next week.
metze
>
>
> -Original Message-
> From: Edgar Olougouna
> Sent: Friday, February 12, 2010 12:09 PM
> To: Stefan (metze) Metzmacher
> Cc: Bill Wesse; p...@tridgell.net; cifs-proto...@
Hi,
I need some help regarding the interaction of STATUS_BUFFER_OVERFLOW and
chained SMB requests.
For SMB_COM_READ_ANDX requests on named pipes it can happen that
the server has to return STATUS_BUFFER_OVERFLOW (see MS-CIFS 3.3.5.35
Receiving an SMB_COM_READ_ANDX Request).
Are chained requests
Hi Matthieu,
> Issue verbatim
> --
>
> So page 31 of MS-BKRP.pdf state that the message format for exchange is :
>
> NET_API_STATUS BackuprKey(
> [in] handle_t h,
> [in] GUID* pguidActionAgent,
> [in, size_is(cbDataIn)] byte* pDataIn,
> [in] DWORD cbDataIn,
> [out, size_is(,*pcb
Am 23.05.2011 05:50, schrieb Andrew Bartlett:
> On Mon, 2010-06-21 at 22:54 +, Hongwei Sun wrote:
>> Andrew,
>>
>> Sorry about the delay to give you a confirmation. We have been spending
>> time to review the usage of UserParameters in other Windows components based
>> on the information y
Hi,
>According to MS-NRPC pg 111, bit 17 (indicated as bit R) of negotiable
> flag is actually referring to "supports the NetrServerPasswordSet2
> functionality".
> In the packet trace that attached earlier, I had successfully negotiated the
> session key (from pkt 519-523) with the DC
Hi,
can you please document the behavior that is triggered by the following
parameter.
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Netlogon\Parameters]
"AllowNT4Crypto"=dword:0001
I can't find this in MS-NRPC.
Is there any interaction with the RequireStrongKey parameter?
Thanks!
metze
Hi,
I found that objects with "ss" and "ß" in the DN conflict with each other.
e.g.:
If I create CN=User_ß,OU=test,DC=example,DC=com on DC1
and CN=User_ss,OU=test,DC=example,DC=com on DC2,
CN=User_ss,OU=test,DC=example,DC=com gets renamed to
CN=User_ß\x0aCNF:ee47b3a2-c1c5-11e0-a500-1b2ff2ce35e2,
Hi Obaid,
> I believe by MS-DRDR you mean MS-DRSR.
Yes, sorry.
> Can you please let me know where MS-DRSR is marked as historic?
http://msdn.microsoft.com/en-us/library/ff381461.aspx
metze
signature.asc
Description: OpenPGP digital signature
___
Hi Obaid,
> Please let me know if my reply resolved your problem.
Yes, sorry for the late response.
metze
signature.asc
Description: OpenPGP digital signature
___
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/list
Hi dochelp,
I wondering if there are any size limitations based on MaxTransactSize,
MaxReadSize
and/or MaxWriteSize in SMB2 IOCTL?
I can't find anything related in the docs, but I guess there is a size
limitation
too.
metze
signature.asc
Description: OpenPGP digital signature
___
Hi,
with SMB 2.1 (and higher) it's possible to do a session
re-authentication without
getting a STATUS_NETWORK_SESSION_EXPIRED. With SMB 2.0
STATUS_REQUEST_NOT_ACCEPTED
is returned.
In what situations do clients do a (pro active) reauthentication without
getting
STATUS_NETWORK_SESSION_EXPIRED fro
Hi,
with SMB 2.1 (and higher) it's possible to do a session
re-authentication without
getting a STATUS_NETWORK_SESSION_EXPIRED. With SMB 2.0
STATUS_REQUEST_NOT_ACCEPTED
is returned.
In what situations do clients do a (pro active) reauthentication without
getting
STATUS_NETWORK_SESSION_EXPIRED fro
Hi DocHelp,
I have some questions regarding the channel sequence verification
of SMB 3.00.
- When is Open.OutstandingPreRequestCount supposed to be decremented or
reset?
- What happens on an 16-bit overflow?
From the documentation it looks like, the server would
always reject write/ioctl/set
Hi,
I just found out that windows2012 RC sends multiple compound requests
within just one encrypted SMB2_TRANSFORM message.
From reading [MS-SMB2] version 37.0 I had the impression that each
request would be encrypted on its own, similar to how signing works.
Can the other receiver side rely on
Hi Edgar,
> Regarding “when should the server decrement OutstandingPreRequestCount or
> OutstandingRequestCount”, the following logic will be reflected in a future
> release of the MS-SMB2 document. This occurs during post processing check of
> the ChannelSequence.
>
> 3.3.4.1 Sending Any Ou
Hi Edgar,
thanks for the answers, I have some more questions inline.
> What about async responses with STATUS_PENDING, are they also encrypted?
>
> [Answer]
> Yes. The exceptions that are not encrypted are SMB2 NEGOTIATE, SMB2
> SESSION_SETUP or SMB2 TREE_CONNECT as documented in 3.2.4.1.8 E
Hi Edgar,
> The case number 112091915263549 has been created to track this inquiry. I
> will assist you in resolving this issue.
>
> In the SMB2_CREATE_APP_INSTANCE_ID Create Context:
> DataOffset: 36 (0x24) should be DataOffset: 32 (0x20) and no padding is
> required. You have 4 extra bytes of
Hi DocHelp,
is it correct that the LeaseKey on a file is shared between different
user contexts?
From 3.2.4.3 Application Requests Opening a File:
[...]
If the client implements the SMB 2.1 or SMB 3.0 dialect and
Connection.SupportsFileLeasing is
TRUE, the client MUST search the GlobalFil
61 matches
Mail list logo
