[cifs-protocol] RE: Other types of Kerberos messages on SamLogon Generic

Andrew Bartlett abartlet at samba.org
Mon Sep 8 00:06:45 GMT 2008

On Sun, 2008-09-07 at 17:01 -0700, Hongwei Sun wrote:
> Andrew,
>    I went through the logic of the generic pass through function in
> Kerberos package for both Windows server 2003 and 2008.  I found that
> it only processes KerbVerifyPacMessage (0x03).  For any other message
> types, STATUS_ACCESS_DENIED should be returned.
>    Could you give me more information about your testing ?  Which
> version of Windows server did you use ?   Did you just use a
> KERB_VERIFY_PAC_REQUEST structure as LogonInformation passed to
> NetrLogonSamLogon() and set MessageType from 0x00 to 0xFF ?   If you
> can send us a network trace to show that NT_STATUS_OK is returned for
> any message type other than 0x03, it would be really helpful.

Feel free to run smbtorture's RPC-PAC against your server (ensure you
turn on kerberos with the '-k yes' switch to get kerberos failures
early).  I was testing against a Windows 2003 DC.

A trace would not be much use, as this is encrypted (which was my first
mistake :-)

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080908/9d78d957/attachment.bin

More information about the cifs-protocol mailing list