[cifs-protocol] RE: 600169 - RE: DCE/RPC PFC_SUPPORT_HEADER_SIGN not optional

Richard Guthrie rguthrie at microsoft.com
Wed Sep 3 22:55:25 GMT 2008


The traces you sent seems to show a correct security context negotiation but something is failing when we go to use that context which is why we see RPC_NT_SEC_PKG_ERROR.  I would like to start with getting some more detailed error info from the windows machine by doing the following:

Enabling Extended Error Information.  You can do this by following the steps in this msdn article http://msdn.microsoft.com/en-us/library/aa373803(VS.85).aspx  and taking a network capture again.  This is going to add some additional information in the response that will lead us to a more precise error message.  If you can send me that trace with the associated keytab file, I can get further into what the problem is.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: Stefan (metze) Metzmacher [mailto:metze at samba.org]
Sent: Friday, August 15, 2008 1:36 AM
To: Andrew Bartlett
Cc: Richard Guthrie; pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: [cifs-protocol] RE: 600169 - RE: DCE/RPC PFC_SUPPORT_HEADER_SIGN not optional


I managed to implement working code that does header signing, with des, arcfour and aes keys. See my feaeture branch at

However it only works with windows 2008 and auth type 16 (kerberos) and it doesn't work with auth type 9 (kerberos via spnego).
(Windows 2003 shows the same behavior)

See the attached captures.


More information about the cifs-protocol mailing list