[cifs-protocol] RE: Regarding [MS-KILE] Three-Leg DCE-Style Mutual Authentication

John Dunning johndun at microsoft.com
Fri Aug 15 15:52:34 GMT 2008

Hello Andrew,
   Do you have any new status for this? Have you determined if this is still a problem for you?


-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Friday, August 08, 2008 9:03 PM
To: metze at samba.org
Cc: pfif at tridgell.net; cifs-protocol at samba.org; John Dunning
Subject: RE: Regarding [MS-KILE] Three-Leg DCE-Style Mutual Authentication

On Fri, 2008-08-08 at 11:07 -0700, John Dunning wrote:
> Hello Andrew,
>    I've received feedback from the Product team and they are requesting additional clarification. To start with I would like to insure we understand the issue.
> We understand the problem to be the following, please let me know if this is not correct.
> The behavior SAMBA is seeing is Client authenticates to Server using KILE and the following occurs:
> 1. Client sends RFC std AP_REQ to server
> 2. Server sends RFC std AP_REP to client
>    in this message the sequence number is n
> 3. Client sends AP_Rep to server
>    in this message the sequence number is n in XP and n+1 in Vista only when AES is used


You seemed to finally get this all working, was the sequence number a
red herring, or did we still need a special case there?

> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> Please clarify what GSSAPI you are using. From the Product team's
> investigation they don't see a difference in behavior with AES. They
> are also requesting possible repro steps and Kerberos logs.

We use a patched version of Heimdal.  Having Vista join Samba4 is the
base case we were working on, but metze will be able to clarify the
current status.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

More information about the cifs-protocol mailing list