[cifs-protocol] RE: Other types of Kerberos messages on SamLogon
Generic
Andrew Bartlett
abartlet at samba.org
Mon Sep 8 00:06:45 GMT 2008
On Sun, 2008-09-07 at 17:01 -0700, Hongwei Sun wrote:
> Andrew,
>
> I went through the logic of the generic pass through function in
> Kerberos package for both Windows server 2003 and 2008. I found that
> it only processes KerbVerifyPacMessage (0x03). For any other message
> types, STATUS_ACCESS_DENIED should be returned.
>
> Could you give me more information about your testing ? Which
> version of Windows server did you use ? Did you just use a
> KERB_VERIFY_PAC_REQUEST structure as LogonInformation passed to
> NetrLogonSamLogon() and set MessageType from 0x00 to 0xFF ? If you
> can send us a network trace to show that NT_STATUS_OK is returned for
> any message type other than 0x03, it would be really helpful.
Feel free to run smbtorture's RPC-PAC against your server (ensure you
turn on kerberos with the '-k yes' switch to get kerberos failures
early). I was testing against a Windows 2003 DC.
A trace would not be much use, as this is encrypted (which was my first
mistake :-)
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080908/9d78d957/attachment.bin
More information about the cifs-protocol
mailing list