[cifs-protocol] RE: Other types of Kerberos messages on SamLogon Generic

Hongwei Sun hongweis at microsoft.com
Mon Sep 8 19:44:02 GMT 2008 

Andrew,



  We ran Smbtortue RPC-PAC  testing on windows 2008 DC and got the following output.



[root at fed8 source]# bin/smbtorture -k yes //VM-W2K8.nick.com/public RPC-PAC Using seed 1220896649 Running PAC Password for [NICKDOM\root]:

Domain join failed - Connection to SAMR pipe of DC VM-W2K8.nick.com failed: Connection to DC VM-W2K8.nick.com failed: NT_STATUS_UNSUCCESSFUL Setup failed: torture/rpc/rpc.c:144: Failed to join as BDC PAC took 11.264 sec



   Is this what you observed ?  Is there any documentation describing what this test is doing ?



Thanks !



Hongwei



-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Sunday, September 07, 2008 7:07 PM
To: Hongwei Sun
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: RE: Other types of Kerberos messages on SamLogon Generic



On Sun, 2008-09-07 at 17:01 -0700, Hongwei Sun wrote:

> Andrew,

>

>    I went through the logic of the generic pass through function in

> Kerberos package for both Windows server 2003 and 2008.  I found that

> it only processes KerbVerifyPacMessage (0x03).  For any other message

> types, STATUS_ACCESS_DENIED should be returned.

>

>    Could you give me more information about your testing ?  Which

> version of Windows server did you use ?   Did you just use a

> KERB_VERIFY_PAC_REQUEST structure as LogonInformation passed to

> NetrLogonSamLogon() and set MessageType from 0x00 to 0xFF ?   If you

> can send us a network trace to show that NT_STATUS_OK is returned for

> any message type other than 0x03, it would be really helpful.



Feel free to run smbtorture's RPC-PAC against your server (ensure you turn on kerberos with the '-k yes' switch to get kerberos failures early).  I was testing against a Windows 2003 DC.



A trace would not be much use, as this is encrypted (which was my first mistake :-)



Andrew Bartlett



--

Andrew Bartlett

http://samba.org/~abartlet/

Authentication Developer, Samba Team           http://samba.org

Samba Developer, Red Hat Inc.
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the cifs-protocol mailing list