[cifs-protocol] DCE_STYLE, AES and sequence numbers

Andrew Bartlett abartlet at samba.org
Fri Jul 25 05:16:54 GMT 2008 

The documentation in MS-KILE 3.4.5.1 on DCE_STYLE is very terse, and
fails to clarify a few points, one of which is preventing
interoperability with Windows Vista.

  The client MUST generate an additional AP reply message exactly as the server would ([RFC4120]
  section 3.2.4) as the final message to send to the server. In GSS terms, the client must return
  success and a message to the server. It is up to the application to deliver the message to the
  server.

  The server MUST receive the additional AP reply message and verify that the message is
  constructed correctly ([RFC4120] section 3.2.5).

What is unclear here is how the sequence numbers, exchanged in this
message, are expected to be updated.  For example, with a WinXP clients,
and arcfour-hmac-md5 encryption, the sequence number (as maintained by
the client, and seen on the server) is unaffected by the receipt of this
extra message.  

In Heimdal's implementation here, we reset the sequence numbers after
verifying the AP_REP at line 690. 

http://git.samba.org/?p=samba.git;a=blob;f=source/heimdal/lib/gssapi/krb5/accept_sec_context.c;h=73b93ceba4c6bb472c546afd52981bcf13051173;hb=v4-0-test

However, when GSSAPI CFX is used, and therefore an AES key is negotiated
by a Windows Vista client to a Samba4 server, the client seems to
require that the remote (from the server's persective) sequence number
be increased by 1.

(ie, adding 1 to r_seq_number at like 690 allows the next gss_unwrap to
match the expected sequence number correctly, in the DRSUAPI bind
portion of a Vista SP1 domain join). 

Simiarly, you will note in line 606, that we must disable timestamp verification. 

While the client code (like 663) is comparatively sane...
http://git.samba.org/?p=samba.git;a=blob;f=source/heimdal/lib/gssapi/krb5/init_sec_context.c;h=c455a5dc8b7246c0c8e795206be5b9c3db114cb8;hb=v4-0-test

It seems that this is more than a simple role reversal, and the docs
need to be expanded to clarify this. 

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080725/69ead716/attachment.bin

More information about the cifs-protocol mailing list