[cifs-protocol] RE: 600169 - RE: DCE/RPC PFC_SUPPORT_HEADER_SIGN not optional

Richard Guthrie rguthrie at microsoft.com
Wed Jul 30 15:45:17 GMT 2008

We have completed our review of your request to update the documentation and would like to point out the following text from MS-RPCE section

Using this mechanism, the client and server agree if header signing should be done for this connection. Once agreed, the client and server apply protection to request and response PDUs in the same way.

Based on this verbiage as well as the trace you sent previously (Packet 537) the documentation is correct that this is flag is used to negotiate whether header signing or integrity checking will be used in conjunction with the set authentication level.  The client will set this bit to 1 on the initial BIND and the server will then set it to 1 or 0 to negotiate whether header signing will be utilized on all subsequent request/response in the conversation according to the guidelines for authentication level in section  Please let us know if you have any further questions on this issue.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM 7100 N Hwy 161, Irving, TX - 75039 "Las Colinas - LC2"
Tel: +1 469 775 7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Friday, July 25, 2008 6:30 PM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: 600169 - RE: DCE/RPC PFC_SUPPORT_HEADER_SIGN not optional

On Fri, 2008-07-25 at 11:43 -0700, Richard Guthrie wrote:
> Andrew,
> I will be working to resolve your issue.  Would it be possible to have you capture and send us a network trace that captures the behavior you are seeing?

Attached is a capture of Windows Vista SP1 attempting to join Samba4.
Note packet 532 and 534.  (see the 'cancel pending' packet flag on the bind and bind response - this is also PFC_SUPPORT_HEADER_SIGN).  It appears that Vista insists on signing the DCE/RPC header regardless (but this is by no means proved, as we are yet to finish the large rework of Heimdal's gssapi layer to support this method for krb5).

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

More information about the cifs-protocol mailing list