[cifs-protocol] RE: Regarding [MS-KILE] 3.4.5.1 Three-Leg DCE-Style Mutual Authentication

Andrew Bartlett abartlet at samba.org
Sat Aug 9 02:02:34 GMT 2008


On Fri, 2008-08-08 at 11:07 -0700, John Dunning wrote:
> Hello Andrew,
>    I've received feedback from the Product team and they are requesting additional clarification. To start with I would like to insure we understand the issue.
> 
> We understand the problem to be the following, please let me know if this is not correct.
> 
> The behavior SAMBA is seeing is Client authenticates to Server using KILE and the following occurs:
> 1. Client sends RFC std AP_REQ to server
> 2. Server sends RFC std AP_REP to client
>    in this message the sequence number is n
> 3. Client sends AP_Rep to server
>    in this message the sequence number is n in XP and n+1 in Vista only when AES is used

Metze:

You seemed to finally get this all working, was the sequence number a
red herring, or did we still need a special case there?

> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> Please clarify what GSSAPI you are using. From the Product team's
> investigation they don't see a difference in behavior with AES. They
> are also requesting possible repro steps and Kerberos logs.

We use a patched version of Heimdal.  Having Vista join Samba4 is the
base case we were working on, but metze will be able to clarify the
current status. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080809/523bb219/attachment.bin


More information about the cifs-protocol mailing list