Strange secblob returned from WIndows 2008 server
ronnie sahlberg
ronniesahlberg at gmail.com
Wed Apr 16 19:53:07 GMT 2008
http://www.alvestrand.no/objectid/1.3.6.1.4.1.311.2.html
is part of the tree for Microsoft authenticode objects.
.2.30 is however not known by alvestrand nor by
http://www.oid-info.com/get/1.3.6.1.4.1.311.2
:-(
On Thu, Apr 17, 2008 at 4:40 AM, Dan Sledz <dan.sledz at isilon.com> wrote:
> We had a report of a winbindd (v3.0.24 + Todd Stecher's 2k8 patches)
> core on a customer's Windows 2008 forest. On investigation, it appears
> that the negTokenInit returned via Negotiate Protocol Response is
> strangely formed. In particular, it has a new OID that I've never seen
> before (1.3.6.1.4.1.311.2.2.30) as well as a zero length mechToken
> instead of it being omitted per spec. All I have right now is the blob
> itself since I've been unable to get a pcap of it occurring.
>
> Has anyone seen anything like this before?
>
> secblob:
> 0x60 0x7a <-- GSSAPI
> 0x06 0x06 <-- SPNEGO OID
> 0x2b 0x06 0x01 0x05 0x05 0x02
> 0xa0 0x70 <-- NegTokenInit
> 0x30 0x6e
> 0xa0 0x3 <-- mechTypes
> 0x30 0x3a
> 0x06 0x0a <-- 1.3.6.1.4.1.311.2.2.30 Unknown OID
> 0x2b 0x06 0x01 0x04 0x01 0x82 0x37 0x02
> 0x02 0x1e
> 0x06 0x09 <-- KRB5
> 0x2a 0x86 0x48 0x82 0xf7 0x12 0x01 0x02
> 0x02
> 0x06 0x09 <-- MS KRB5
> 0x2a 0x86 0x48 0x86 0xf7 0x12 0x01 0x02
> 0x02
> 0x06 0x0a <-- MS KRB5 U2U
> 0x2a 0x86 0x48 0x86 0xf7 0x12 0x01 0x02
> 0x02 0x03
> 0x06 0x0a <-- NTLMSSP
> 0x2b 0x06 0x01 0x04 0x01 0x82 0x37 0x02
> 0x02 0x0a
> 0xa2 0x02 <-- mechToken
> 0x04 0x00
> 0xa3 0x2a <-- negHints
> 0x30 0x28
> 0xa0 0x26 <-- nameHints
> 0x1b 0x24
> "not_defined_in_RFC4178 at please_ignore"
> 0x6e 0x6f 0x74 0x5f 0x64 0x65 0x66 0x69
> 0x6e 0x65 0x64 0x5f 0x69 0x6e 0x5f 0x52
> 0x46 0x43 0x34 0x31 0x37 0x38 0x40 0x70
> 0x6c 0x65 0x61 0x73 0x65 0x5f 0x69 0x67
> 0x6e 0x6f 0x72 0x65
>
More information about the samba-technical
mailing list