[cifs-protocol] RE: Other types of Kerberos messages on SamLogon
hongweis at microsoft.com
Mon Sep 8 19:44:02 GMT 2008
We ran Smbtortue RPC-PAC testing on windows 2008 DC and got the following output.
[root at fed8 source]# bin/smbtorture -k yes //VM-W2K8.nick.com/public RPC-PAC Using seed 1220896649 Running PAC Password for [NICKDOM\root]:
Domain join failed - Connection to SAMR pipe of DC VM-W2K8.nick.com failed: Connection to DC VM-W2K8.nick.com failed: NT_STATUS_UNSUCCESSFUL Setup failed: torture/rpc/rpc.c:144: Failed to join as BDC PAC took 11.264 sec
Is this what you observed ? Is there any documentation describing what this test is doing ?
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Sunday, September 07, 2008 7:07 PM
To: Hongwei Sun
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: Other types of Kerberos messages on SamLogon Generic
On Sun, 2008-09-07 at 17:01 -0700, Hongwei Sun wrote:
> I went through the logic of the generic pass through function in
> Kerberos package for both Windows server 2003 and 2008. I found that
> it only processes KerbVerifyPacMessage (0x03). For any other message
> types, STATUS_ACCESS_DENIED should be returned.
> Could you give me more information about your testing ? Which
> version of Windows server did you use ? Did you just use a
> KERB_VERIFY_PAC_REQUEST structure as LogonInformation passed to
> NetrLogonSamLogon() and set MessageType from 0x00 to 0xFF ? If you
> can send us a network trace to show that NT_STATUS_OK is returned for
> any message type other than 0x03, it would be really helpful.
Feel free to run smbtorture's RPC-PAC against your server (ensure you turn on kerberos with the '-k yes' switch to get kerberos failures early). I was testing against a Windows 2003 DC.
A trace would not be much use, as this is encrypted (which was my first mistake :-)
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the cifs-protocol