[cifs-protocol] RE: 600169 - RE: DCE/RPC PFC_SUPPORT_HEADER_SIGN not optional

Andrew Bartlett abartlet at samba.org
Wed Jul 30 22:25:51 GMT 2008

On Wed, 2008-07-30 at 08:45 -0700, Richard Guthrie wrote:
> Andrew,
> We have completed our review of your request to update the
> documentation and would like to point out the following text from
> MS-RPCE section
> Using this mechanism, the client and server agree if header signing
> should be done for this connection. Once agreed, the client and server
> apply protection to request and response PDUs in the same way.
> Based on this verbiage as well as the trace you sent previously
> (Packet 537) the documentation is correct that this is flag is used to
> negotiate whether header signing or integrity checking will be used in
> conjunction with the set authentication level.  The client will set
> this bit to 1 on the initial BIND and the server will then set it to 1
> or 0 to negotiate whether header signing will be utilized on all
> subsequent request/response in the conversation according to the
> guidelines for authentication level in section  Please
> let us know if you have any further questions on this issue.

No, this does not resolve the request.  I agree that this is what
reading the docs would tell you, but please consider this more deeply,
and make enquires with the actual code (not the spec...) - please read
Metze's and my additional observations and inquire into the code.  

We know that AEAD (Authenticated Encryption with Additional Data, aka
header signing) which is what this feature is meant to negotiate is
still used, because we have had to implement it for NTLM2, without
setting either of these flags.  

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080731/aab97053/attachment.bin

More information about the cifs-protocol mailing list