[cifs-protocol] RE: Regarding [MS-KILE] 3.4.5.1 Three-Leg DCE-Style Mutual Authentication

[John Dunning]

Hello Andrew,
   Do you have any new status for this? Have you determined if this is still a problem for you?

Thanks
John

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Friday, August 08, 2008 9:03 PM
To: metze at samba.org
Cc: pfif at tridgell.net; cifs-protocol at samba.org; John Dunning
Subject: RE: Regarding [MS-KILE] 3.4.5.1 Three-Leg DCE-Style Mutual Authentication

On Fri, 2008-08-08 at 11:07 -0700, John Dunning wrote:
> Hello Andrew,
>    I've received feedback from the Product team and they are requesting additional clarification. To start with I would like to insure we understand the issue.
>
> We understand the problem to be the following, please let me know if this is not correct.
>
> The behavior SAMBA is seeing is Client authenticates to Server using KILE and the following occurs:
> 1. Client sends RFC std AP_REQ to server
> 2. Server sends RFC std AP_REP to client
>    in this message the sequence number is n
> 3. Client sends AP_Rep to server
>    in this message the sequence number is n in XP and n+1 in Vista only when AES is used

Metze:

You seemed to finally get this all working, was the sequence number a
red herring, or did we still need a special case there?

> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Please clarify what GSSAPI you are using. From the Product team's
> investigation they don't see a difference in behavior with AES. They
> are also requesting possible repro steps and Kerberos logs.

We use a patched version of Heimdal.  Having Vista join Samba4 is the
base case we were working on, but metze will be able to clarify the
current status.

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com