Strange secblob returned from WIndows 2008 server
Dan Sledz
dan.sledz at isilon.com
Wed Apr 16 18:40:51 GMT 2008
We had a report of a winbindd (v3.0.24 + Todd Stecher's 2k8 patches)
core on a customer's Windows 2008 forest. On investigation, it appears
that the negTokenInit returned via Negotiate Protocol Response is
strangely formed. In particular, it has a new OID that I've never seen
before (1.3.6.1.4.1.311.2.2.30) as well as a zero length mechToken
instead of it being omitted per spec. All I have right now is the blob
itself since I've been unable to get a pcap of it occurring.
Has anyone seen anything like this before?
secblob:
0x60 0x7a <-- GSSAPI
0x06 0x06 <-- SPNEGO OID
0x2b 0x06 0x01 0x05 0x05 0x02
0xa0 0x70 <-- NegTokenInit
0x30 0x6e
0xa0 0x3 <-- mechTypes
0x30 0x3a
0x06 0x0a <-- 1.3.6.1.4.1.311.2.2.30 Unknown OID
0x2b 0x06 0x01 0x04 0x01 0x82 0x37 0x02
0x02 0x1e
0x06 0x09 <-- KRB5
0x2a 0x86 0x48 0x82 0xf7 0x12 0x01 0x02
0x02
0x06 0x09 <-- MS KRB5
0x2a 0x86 0x48 0x86 0xf7 0x12 0x01 0x02
0x02
0x06 0x0a <-- MS KRB5 U2U
0x2a 0x86 0x48 0x86 0xf7 0x12 0x01 0x02
0x02 0x03
0x06 0x0a <-- NTLMSSP
0x2b 0x06 0x01 0x04 0x01 0x82 0x37 0x02
0x02 0x0a
0xa2 0x02 <-- mechToken
0x04 0x00
0xa3 0x2a <-- negHints
0x30 0x28
0xa0 0x26 <-- nameHints
0x1b 0x24
"not_defined_in_RFC4178 at please_ignore"
0x6e 0x6f 0x74 0x5f 0x64 0x65 0x66 0x69
0x6e 0x65 0x64 0x5f 0x69 0x6e 0x5f 0x52
0x46 0x43 0x34 0x31 0x37 0x38 0x40 0x70
0x6c 0x65 0x61 0x73 0x65 0x5f 0x69 0x67
0x6e 0x6f 0x72 0x65
More information about the samba-technical
mailing list