[cifs-protocol] RE: Request for fix to MS-PAC

Richard Guthrie rguthrie at microsoft.com
Mon Sep 22 18:38:00 GMT 2008


Ronnie,

We have completed our investigation and have updated the documentation for section 2.10 of MS-PAC which should cover issues 1-4 that you raised.  The attached document [MS-PAC 2.10] reflect these changes.  We have also added some information to MS-KILE which is the implementer of the MS-PAC structure to section 3.3.5.2.2 which I have also attached.  This should address issue 5.

Please review and let us know if you have any further issues with the documentation.

Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: rguthrie at microsoft.com
We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted

-----Original Message-----
From: ronnie sahlberg [mailto:ronniesahlberg at gmail.com]
Sent: Thursday, August 28, 2008 1:28 AM
To: Richard Guthrie
Cc: pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: Request for fix to MS-PAC

Hi,

The data is encrypted  so a network trace is useless unless I also
provide a kerberos keytab file containing the secret key.
I cant do that unfortunately.

Instead I attach a decrypted packet from wireshark :


The blob that starts with : Decrypted Krb5 (1094 bytes):
is the decrypted data in the EncTicketPart blob of the Ticket.

Towards the end of this decrypted structure we will have
             authorization-data      [10] AuthorizationData OPTIONAL
This starts at offset 0x00b1 with the tag 0xaa

The actual PAC_INFO_BUFFER type 12 starts at offset 0x0358 into this blob.
I will paste this blob below for easy reference :

0350  .. .. .. .. .. .. .. ..  30 00 10 00 14 00 40 00
0360  01 00 00 00 00 00 00 00 41 00 64 00 6d 00 69 00
0370  6e 00 69 00 73 00 74 00 72 00 61 00 74 00 6f 00
0380  72 00 40 00 76 00 73 00 6f 00 66 00 73 00 38 00
0390  2e 00 63 00 6f 00 6d 00 56 00 53 00 4f 00 46 00
03a0  53 00 38 00 2e 00 43 00 4f 00 4d 00



30 00 : length
10 00 : offset

14 00 : length
40 00 : offset

01 00 00 00 : this would be the flags field but it is not all zero

00 00 00 00 : padding ?

41 00 64 00 6d 00 69 00   the two strings
6e 00 69 00 73 00 74 00 72 00 61 00 74 00 6f 00
72 00 40 00 76 00 73 00 6f 00 66 00 73 00 38 00
2e 00 63 00 6f 00 6d 00 56 00 53 00 4f 00 46 00
53 00 38 00 2e 00 43 00 4f 00 4d 00


regards
ronnie sahlberg


No.     Time        Source                Destination           Protocol Info
     20 0.068702    10.0.0.218            10.0.1.101            SMB
  Session Setup AndX Request

Frame 20 (194 bytes on wire, 194 bytes captured)
Ethernet II, Src: Xensourc_00:88:6c (00:16:3e:00:88:6c), Dst:
00:ff:0e:54:92:d7 (00:ff:0e:54:92:d7)
Internet Protocol, Src: 10.0.0.218 (10.0.0.218), Dst: 10.0.1.101 (10.0.1.101)
Transmission Control Protocol, Src Port: 49224 (49224), Dst Port: 445
(445), Seq: 1609, Ack: 182, Len: 140
[Reassembled TCP Segments (1600 bytes): #19(1460), #20(140)]
NetBIOS Session Service
SMB (Server Message Block Protocol)
    SMB Header
    Session Setup AndX Request (0x73)
        Word Count (WCT): 12
        AndXCommand: No further commands (0xff)
        Reserved: 00
        AndXOffset: 0
        Max Buffer: 16644
        Max Mpx Count: 50
        VC Number: 0
        Session Key: 0x00000000
        Security Blob Length: 1532
        Reserved: 00000000
        Capabilities: 0xa00000d4
        Byte Count (BCC): 1537
        Security Blob: 608205F806062B0601050502A08205EC308205E8A0243022...
            GSS-API Generic Security Service Application Program Interface
                OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)
                SPNEGO
                    negTokenInit
                        mechTypes: 3 items
                        mechToken:
608205B606092A864886F71201020201006E8205A5308205...
                        krb5_blob:
608205B606092A864886F71201020201006E8205A5308205...
                            KRB5 OID: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5)
                            krb5_tok_id: KRB5_AP_REQ (0x0001)
                            Kerberos AP-REQ
                                Pvno: 5
                                MSG Type: AP-REQ (14)
                                Padding: 0
                                APOptions: 20000000 (Mutual required)
                                Ticket
                                    Tkt-vno: 5
                                    Realm: VSOFS8.COM
                                    Server Name (Service and
Instance): cifs/jens1.vsofs8.com
                                    enc-part rc4-hmac
                                        Encryption type: rc4-hmac (23)
                                        Kvno: 5
                                        enc-part:
468AD4B329BBA42CA8ECF32270D88F5FFB89B79CCC67D17F...
                                            [Decrypted using: keytab
principal JENS1$@VSOFS8.COM]
                                            EncTicketPart
                                                Padding: 0
                                                Ticket Flags
(Forwardable, Renewable, Pre-Auth)
                                                key rc4-hmac
                                                Client Realm: VSOFS8.COM
                                                Client Name
(Principal): Administrator
                                                TransitedEncoding
DOMAIN-X500-COMPRESS
                                                Authtime: 2008-08-14
03:08:50 (UTC)
                                                Start time: 2008-08-14
03:14:07 (UTC)
                                                End time: 2008-08-14
13:08:50 (UTC)
                                                Renew-till: 2008-08-21
03:08:50 (UTC)
                                                AuthorizationData AD-IF-RELEVANT
                                                    Type: AD-IF-RELEVANT (1)
                                                    Data:
308203123082030EA00402020080A1820304048203000500...
                                                        IF_RELEVANT AD-Win2k-PAC
                                                            Type:
AD-Win2k-PAC (128)
                                                            Data:
050000000000000001000000F80100005800000000000000...
                                                                Num Entries: 5
                                                                Version: 0
                                                                Type:
Logon Info (1)
                                                                    Size: 504
                                                                    Offset: 88

PAC_LOGON_INFO: 01100800CCCCCCCCE8010000000000000000020090D4CD12...
                                                                Type:
Client Info Type (10)
                                                                    Size: 36
                                                                    Offset: 592

PAC_CLIENT_INFO_TYPE:
000D0713BBFDC8011A00410064006D0069006E0069007300...
                                                                Type:
UPN DNS Info (12)
                                                                    Size: 88
                                                                    Offset: 632

UPN_DNS_INFO: 30001000140040000100000000000000410064006D006900...

 UPN Len: 48

 UPN Offset: 16

 DNS Len: 20

 DNS Offset: 64

 Flags: 0x00000001

 UPN Name: Administrator at vsofs8.com

 DNS Name: VSOFS8.COM
                                                                Type:
Server Checksum (6)
                                                                    Size: 20
                                                                    Offset: 720

PAC_SERVER_CHECKSUM: 76FFFFFFCC47C321EEC28C824A4085BD00A6DF17
                                                                Type:
Privsvr Checksum (7)
                                                                    Size: 20
                                                                    Offset: 744

PAC_PRIVSVR_CHECKSUM: 76FFFFFF36E3634ADE7101225906729E20F0D7BC
                                                AuthorizationData AD-IF-RELEVANT
                                                    Type: AD-IF-RELEVANT (1)
                                                    Data:
3041303FA0040202008DA137043530333031A003020100A1...
                                                        IF_RELEVANT 0x8d
                                                            Type: Unknown (141)
                                                            Data:
30333031A003020100A12A04280000000000300000247BE4...
                                Authenticator rc4-hmac
        Native OS:
        Native LAN Manager:

Frame (194 bytes):

0000  00 ff 0e 54 92 d7 00 16 3e 00 88 6c 08 00 45 00   ...T....>..l..E.
0010  00 b4 02 da 40 00 80 06 e1 2b 0a 00 00 da 0a 00   .... at ....+......
0020  01 65 c0 48 01 bd 18 ac 76 5c f2 15 99 ba 50 18   .e.H....v\....P.
0030  3f fb e6 df 00 00 3f 6f 77 d4 5e cc eb 9b 1a df   ?.....?ow.^.....
0040  94 5a 12 a9 c4 37 96 eb f7 1a 07 ba d3 43 01 a5   .Z...7.......C..
0050  4a 0c 77 aa 23 d3 34 bf 67 a0 21 19 51 3e 27 41   J.w.#.4.g.!.Q>'A
0060  d8 f8 bf 74 47 96 5b f2 35 0b e6 b2 3f 37 f4 bf   ...tG.[.5...?7..
0070  a6 ae cd 1b 69 de c2 d5 ca bf 09 44 a1 e3 d6 4c   ....i......D...L
0080  54 61 c4 c1 6f 65 93 4f 06 41 ec 29 61 6c 6a 55   Ta..oe.O.A.)aljU
0090  47 8c 88 cb 86 23 cf 59 1e e4 86 2d 3a 5b fa 59   G....#.Y...-:[.Y
00a0  7a 04 da 59 b5 fd 07 2c 65 8f 44 3b 19 76 23 47   z..Y...,e.D;.v#G
00b0  d4 85 7f 0d 58 33 78 5c 69 cb c0 57 ef 00 00 00   ....X3x\i..W....
00c0  00 00                                             ..

Reassembled TCP (1600 bytes):

0000  00 00 06 3c ff 53 4d 42 73 00 00 00 00 18 07 c8   ...<.SMBs.......
0010  00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff fe   ................
0020  00 00 40 00 0c ff 00 00 00 04 41 32 00 00 00 00   .. at .......A2....
0030  00 00 00 fc 05 00 00 00 00 d4 00 00 a0 01 06 60   ...............`
0040  82 05 f8 06 06 2b 06 01 05 05 02 a0 82 05 ec 30   .....+.........0
0050  82 05 e8 a0 24 30 22 06 09 2a 86 48 82 f7 12 01   ....$0"..*.H....
0060  02 02 06 09 2a 86 48 86 f7 12 01 02 02 06 0a 2b   ....*.H........+
0070  06 01 04 01 82 37 02 02 0a a2 82 05 be 04 82 05   .....7..........
0080  ba 60 82 05 b6 06 09 2a 86 48 86 f7 12 01 02 02   .`.....*.H......
0090  01 00 6e 82 05 a5 30 82 05 a1 a0 03 02 01 05 a1   ..n...0.........
00a0  03 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 04   ......... ......
00b0  a0 61 82 04 9c 30 82 04 98 a0 03 02 01 05 a1 0c   .a...0..........
00c0  1b 0a 56 53 4f 46 53 38 2e 43 4f 4d a2 23 30 21   ..VSOFS8.COM.#0!
00d0  a0 03 02 01 02 a1 1a 30 18 1b 04 63 69 66 73 1b   .......0...cifs.
00e0  10 6a 65 6e 73 31 2e 76 73 6f 66 73 38 2e 63 6f   .jens1.vsofs8.co
00f0  6d a3 82 04 5c 30 82 04 58 a0 03 02 01 17 a1 03   m...\0..X.......
0100  02 01 05 a2 82 04 4a 04 82 04 46 46 8a d4 b3 29   ......J...FF...)
0110  bb a4 2c a8 ec f3 22 70 d8 8f 5f fb 89 b7 9c cc   ..,..."p.._.....
0120  67 d1 7f ba 90 2e 2d e5 3c 11 30 16 25 c3 bf 36   g.....-.<.0.%..6
0130  fb e6 3b 79 8c bc ea ab 47 29 e2 7e 1c 3b 9f f7   ..;y....G).~.;..
0140  14 15 18 17 fe b9 ee c4 8d 05 99 6c a5 c2 01 28   ...........l...(
0150  da 2c ce d1 70 1c 8a bc ee 48 1c 47 be cc d1 d4   .,..p....H.G....
0160  80 79 e1 c2 d0 9a 42 22 4b c0 90 6e cc 90 86 19   .y....B"K..n....
0170  1a 74 9b d5 bc b9 d6 47 b4 65 52 8a f2 8c 35 59   .t.....G.eR...5Y
0180  1d a4 45 89 c8 5b d4 b5 b4 0b 7a ab 95 c5 43 94   ..E..[....z...C.
0190  8e ee bb d7 9b 47 de 19 2a d4 bf ff 2d 7c e5 bf   .....G..*...-|..
01a0  1a b7 11 d1 a4 f5 ca 5f 4e 30 a1 17 27 7f 20 ec   ......._N0..'. .
01b0  e8 03 89 b2 8e 04 a9 23 29 5d 90 21 08 10 f8 11   .......#)].!....
01c0  c9 b8 49 f0 5b d9 9e 63 8f 28 13 e1 04 d8 0b c0   ..I.[..c.(......
01d0  3e eb 71 62 28 ec 3a 36 8a f4 3d 6a 70 4c 17 3b   >.qb(.:6..=jpL.;
01e0  b9 5e 6c 80 db f6 80 20 0c 58 7d f6 d2 52 7f 0b   .^l.... .X}..R..
01f0  51 27 97 92 a1 3d 4c 2c 7a dd ad 31 52 be d2 01   Q'...=L,z..1R...
0200  16 16 1a bc 2d 9d 17 ec 03 7a 7b d5 a9 3a 95 48   ....-....z{..:.H
0210  10 8a 01 fc e6 cc ff 27 2b fc cb 5e c8 38 32 85   .......'+..^.82.
0220  70 40 17 d6 cc 9a ca 7b f5 ad 45 27 3d 0a 54 23   p at .....{..E'=.T#
0230  94 c5 f1 e1 f2 b6 fe d3 dd b7 81 c1 ca 6f 01 f3   .............o..
0240  61 08 8e 25 ee 33 a3 06 16 0b b0 95 5a 9a e5 06   a..%.3......Z...
0250  e3 19 26 fd 1c 80 9e 70 af 5b 61 5a 44 07 9d 29   ..&....p.[aZD..)
0260  96 09 3d 29 ea 85 bc be 3f 73 c8 fc 02 e1 0f b6   ..=)....?s......
0270  9d 7d be 49 3d a0 8b b0 1b 49 e1 79 8c c2 c6 c6   .}.I=....I.y....
0280  c2 b0 fe 6f a9 bb 57 e5 86 b7 fa c1 f1 6c 24 31   ...o..W......l$1
0290  b3 4a bb bb 84 ab 49 99 93 e7 b4 fb eb 6e 31 b0   .J....I......n1.
02a0  09 57 17 11 03 f1 56 29 0b 0d c6 60 6e af 3c 46   .W....V)...`n.<F
02b0  35 76 0f 5a 7c 7b d4 d8 ed 30 af ae d1 8d 1d a9   5v.Z|{...0......
02c0  f2 1d e8 8f 0c d1 3d 90 cc aa 62 06 fc be 59 65   ......=...b...Ye
02d0  82 ec 12 2a 34 39 29 f1 92 fc d5 85 98 bf 39 52   ...*49).......9R
02e0  c0 0c 15 c5 8d 91 84 fd b8 69 b2 3c 07 90 c1 a3   .........i.<....
02f0  90 89 4a 50 dd a4 a9 2c 22 47 1c 5a ee 11 c8 97   ..JP...,"G.Z....
0300  cf 8d ff b2 8d 3d 53 f1 55 ed 00 27 70 41 e9 7f   .....=S.U..'pA..
0310  f6 e7 16 6c 40 32 68 25 aa 2b 35 e8 09 71 ac 0f   ...l at 2h%.+5..q..
0320  c0 f9 2a 93 f6 d1 3e 5d 9f 05 50 35 28 5e 01 85   ..*...>]..P5(^..
0330  d4 54 31 ed 87 17 cb c2 20 29 ed 32 01 f8 fe 63   .T1..... ).2...c
0340  68 4c 89 da 02 4d 7e 3f b3 0f e9 0b b6 1d a1 b1   hL...M~?........
0350  23 d4 67 08 78 80 85 88 ac 31 9f ce a2 6e 25 f7   #.g.x....1...n%.
0360  85 63 cb a9 0c a7 de 8b 93 34 39 1c 4a c2 9a b0   .c.......49.J...
0370  30 d1 1a 6c 9a b1 8e 17 b9 a4 68 ad 93 65 67 4d   0..l......h..egM
0380  63 3a dd 7b a0 df 3b 98 a9 57 da 55 15 74 3a 6f   c:.{..;..W.U.t:o
0390  f0 b0 c3 74 1a c6 a4 93 23 0e c0 1c 77 5a 79 8f   ...t....#...wZy.
03a0  34 e6 77 88 fe 01 09 9e 7c fb 2e db 89 15 92 e1   4.w.....|.......
03b0  08 25 2a bd 32 fa 29 af 45 b3 ea db e3 80 8e d5   .%*.2.).E.......
03c0  35 90 64 4f 19 50 72 32 12 b8 82 a5 09 e6 40 31   5.dO.Pr2...... at 1
03d0  51 ce 0d f7 9f 6c 14 cc e3 da 9d ce 9e cf c9 58   Q....l.........X
03e0  94 34 6c 47 65 9b 0a ea ee 66 4f 97 1b 32 9f ea   .4lGe....fO..2..
03f0  c9 f8 14 e3 92 52 95 49 4e 26 bd de c2 3b c8 a0   .....R.IN&...;..
0400  39 41 96 78 43 05 43 97 91 1d ee 82 b2 99 7e 43   9A.xC.C.......~C
0410  b0 6d 7f 4b bf a0 77 00 b8 fa aa 1a d4 dd b0 6f   .m.K..w........o
0420  02 5c fc dc f2 39 c2 d1 83 36 a5 9d 93 73 02 55   .\...9...6...s.U
0430  c9 d4 05 97 43 2d ea a8 c9 b5 5e 60 2f 9c 50 94   ....C-....^`/.P.
0440  02 de 9a a8 a9 63 56 18 37 27 37 09 b5 3d 0c 88   .....cV.7'7..=..
0450  f9 69 f6 3d 2e 47 81 3b 6e 4c 85 78 d3 5e e1 1d   .i.=.G.;nL.x.^..
0460  34 a6 7e 16 bc 08 45 2a 6f c8 3e 87 a9 1b 2c 0f   4.~...E*o.>...,.
0470  ee c1 29 c6 95 f6 7f 34 fa 2d ea 19 22 7b 8c a9   ..)....4.-.."{..
0480  64 c2 e0 2a dc 37 d9 54 30 aa e3 91 19 71 5d 35   d..*.7.T0....q]5
0490  4b 00 73 b1 d0 13 6a d6 84 de 2e a2 28 bb 75 1b   K.s...j.....(.u.
04a0  96 5d b9 e2 fd c8 8b 99 62 4d b8 0c 06 bb f0 13   .]......bM......
04b0  16 16 3d fc 6c 45 81 aa ca 6e 9a 2d 4f 4a 73 ee   ..=.lE...n.-OJs.
04c0  6e 14 b1 d4 6d 59 1e b7 94 20 71 5e 0f 1a fd e8   n...mY... q^....
04d0  84 48 4b 06 5c d5 b8 66 41 45 6b 2f 05 c4 92 4d   .HK.\..fAEk/...M
04e0  58 fb 1b 6d 38 b8 03 58 be 02 b1 dd 44 ce 45 ba   X..m8..X....D.E.
04f0  61 08 fa 8b 1e 2f b2 3d 05 2f 57 06 d4 cb 40 15   a..../.=./W... at .
0500  10 6a e2 b5 a3 6c bd 7c dc 06 6e 86 ad bc 43 94   .j...l.|..n...C.
0510  1e 65 41 14 67 e1 bc 55 f6 d5 12 69 1b 47 f9 1b   .eA.g..U...i.G..
0520  22 93 11 a7 0d 62 1f 6d 00 dc f1 33 1e 26 08 0f   "....b.m...3.&..
0530  6d f1 00 81 70 b8 cb ef 4a 89 18 36 f2 27 24 9d   m...p...J..6.'$.
0540  20 92 b3 5b ca f1 0e 89 34 7d c1 3c e2 d7 3e 26    ..[....4}.<..>&
0550  86 a4 81 e7 30 81 e4 a0 03 02 01 17 a2 81 dc 04   ....0...........
0560  81 d9 28 0e 09 68 39 03 00 aa 47 d1 3c 16 a6 c5   ..(..h9...G.<...
0570  80 67 e9 bc 68 6d 2e 71 55 98 75 54 d9 11 e0 34   .g..hm.qU.uT...4
0580  00 a5 b9 79 f1 cf 40 83 94 ac 54 7e 19 45 aa 9e   ...y.. at ...T~.E..
0590  c7 4d 6e 1c 9d 9b 85 f6 6c 64 9c 97 c1 59 ca 9e   .Mn.....ld...Y..
05a0  81 3f 0d d3 cf 30 eb 5a 68 0a 45 49 e4 df 63 51   .?...0.Zh.EI..cQ
05b0  6b 7d 13 d3 3f 6f 77 d4 5e cc eb 9b 1a df 94 5a   k}..?ow.^......Z
05c0  12 a9 c4 37 96 eb f7 1a 07 ba d3 43 01 a5 4a 0c   ...7.......C..J.
05d0  77 aa 23 d3 34 bf 67 a0 21 19 51 3e 27 41 d8 f8   w.#.4.g.!.Q>'A..
05e0  bf 74 47 96 5b f2 35 0b e6 b2 3f 37 f4 bf a6 ae   .tG.[.5...?7....
05f0  cd 1b 69 de c2 d5 ca bf 09 44 a1 e3 d6 4c 54 61   ..i......D...LTa
0600  c4 c1 6f 65 93 4f 06 41 ec 29 61 6c 6a 55 47 8c   ..oe.O.A.)aljUG.
0610  88 cb 86 23 cf 59 1e e4 86 2d 3a 5b fa 59 7a 04   ...#.Y...-:[.Yz.
0620  da 59 b5 fd 07 2c 65 8f 44 3b 19 76 23 47 d4 85   .Y...,e.D;.v#G..
0630  7f 0d 58 33 78 5c 69 cb c0 57 ef 00 00 00 00 00   ..X3x\i..W......

Decrypted Krb5 (1094 bytes):

0000  63 82 04 2a 30 82 04 26 a0 07 03 05 00 40 a0 00   c..*0..&..... at ..
0010  00 a1 1b 30 19 a0 03 02 01 17 a1 12 04 10 a1 fe   ...0............
0020  a5 c0 56 e1 ea 97 21 f2 7a a5 35 98 9a 52 a2 0c   ..V...!.z.5..R..
0030  1b 0a 56 53 4f 46 53 38 2e 43 4f 4d a3 1a 30 18   ..VSOFS8.COM..0.
0040  a0 03 02 01 01 a1 11 30 0f 1b 0d 41 64 6d 69 6e   .......0...Admin
0050  69 73 74 72 61 74 6f 72 a4 0b 30 09 a0 03 02 01   istrator..0.....
0060  01 a1 02 04 00 a5 11 18 0f 32 30 30 38 30 38 31   .........2008081
0070  34 30 33 30 38 35 30 5a a6 11 18 0f 32 30 30 38   4030850Z....2008
0080  30 38 31 34 30 33 31 34 30 37 5a a7 11 18 0f 32   0814031407Z....2
0090  30 30 38 30 38 31 34 31 33 30 38 35 30 5a a8 11   0080814130850Z..
00a0  18 0f 32 30 30 38 30 38 32 31 30 33 30 38 35 30   ..20080821030850
00b0  5a aa 82 03 79 30 82 03 75 30 82 03 23 a0 03 02   Z...y0..u0..#...
00c0  01 01 a1 82 03 1a 04 82 03 16 30 82 03 12 30 82   ..........0...0.
00d0  03 0e a0 04 02 02 00 80 a1 82 03 04 04 82 03 00   ................
00e0  05 00 00 00 00 00 00 00 01 00 00 00 f8 01 00 00   ................
00f0  58 00 00 00 00 00 00 00 0a 00 00 00 24 00 00 00   X...........$...
0100  50 02 00 00 00 00 00 00 0c 00 00 00 58 00 00 00   P...........X...
0110  78 02 00 00 00 00 00 00 06 00 00 00 14 00 00 00   x...............
0120  d0 02 00 00 00 00 00 00 07 00 00 00 14 00 00 00   ................
0130  e8 02 00 00 00 00 00 00 01 10 08 00 cc cc cc cc   ................
0140  e8 01 00 00 00 00 00 00 00 00 02 00 90 d4 cd 12   ................
0150  bb fd c8 01 ff ff ff ff ff ff ff 7f ff ff ff ff   ................
0160  ff ff ff 7f 4e fb 81 3e 8b e1 c8 01 4e bb eb 68   ....N..>....N..h
0170  54 e2 c8 01 ff ff ff ff ff ff ff 7f 1a 00 1a 00   T...............
0180  04 00 02 00 00 00 00 00 08 00 02 00 00 00 00 00   ................
0190  0c 00 02 00 00 00 00 00 10 00 02 00 00 00 00 00   ................
01a0  14 00 02 00 00 00 00 00 18 00 02 00 18 00 00 00   ................
01b0  f4 01 00 00 01 02 00 00 05 00 00 00 1c 00 02 00   ................
01c0  20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ...............
01d0  00 00 00 00 0a 00 0c 00 20 00 02 00 0c 00 0e 00   ........ .......
01e0  24 00 02 00 28 00 02 00 00 00 00 00 00 00 00 00   $...(...........
01f0  10 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0200  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0210  01 00 00 00 2c 00 02 00 00 00 00 00 00 00 00 00   ....,...........
0220  00 00 00 00 0d 00 00 00 00 00 00 00 0d 00 00 00   ................
0230  41 00 64 00 6d 00 69 00 6e 00 69 00 73 00 74 00   A.d.m.i.n.i.s.t.
0240  72 00 61 00 74 00 6f 00 72 00 00 00 00 00 00 00   r.a.t.o.r.......
0250  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0260  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0270  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0280  00 00 00 00 00 00 00 00 05 00 00 00 00 02 00 00   ................
0290  07 00 00 00 01 02 00 00 07 00 00 00 08 02 00 00   ................
02a0  07 00 00 00 06 02 00 00 07 00 00 00 07 02 00 00   ................
02b0  07 00 00 00 06 00 00 00 00 00 00 00 05 00 00 00   ................
02c0  57 00 32 00 30 00 30 00 38 00 00 00 07 00 00 00   W.2.0.0.8.......
02d0  00 00 00 00 06 00 00 00 56 00 53 00 4f 00 46 00   ........V.S.O.F.
02e0  53 00 38 00 04 00 00 00 01 04 00 00 00 00 00 05   S.8.............
02f0  15 00 00 00 1c 09 4a 8a 69 fa 57 df 21 56 c4 ac   ......J.i.W.!V..
0300  01 00 00 00 30 00 02 00 07 00 00 20 05 00 00 00   ....0...... ....
0310  01 05 00 00 00 00 00 05 15 00 00 00 1c 09 4a 8a   ..............J.
0320  69 fa 57 df 21 56 c4 ac 3c 02 00 00 00 00 00 00   i.W.!V..<.......
0330  00 0d 07 13 bb fd c8 01 1a 00 41 00 64 00 6d 00   ..........A.d.m.
0340  69 00 6e 00 69 00 73 00 74 00 72 00 61 00 74 00   i.n.i.s.t.r.a.t.
0350  6f 00 72 00 00 00 00 00 30 00 10 00 14 00 40 00   o.r.....0..... at .
0360  01 00 00 00 00 00 00 00 41 00 64 00 6d 00 69 00   ........A.d.m.i.
0370  6e 00 69 00 73 00 74 00 72 00 61 00 74 00 6f 00   n.i.s.t.r.a.t.o.
0380  72 00 40 00 76 00 73 00 6f 00 66 00 73 00 38 00   r. at .v.s.o.f.s.8.
0390  2e 00 63 00 6f 00 6d 00 56 00 53 00 4f 00 46 00   ..c.o.m.V.S.O.F.
03a0  53 00 38 00 2e 00 43 00 4f 00 4d 00 00 00 00 00   S.8...C.O.M.....
03b0  76 ff ff ff cc 47 c3 21 ee c2 8c 82 4a 40 85 bd   v....G.!....J at ..
03c0  00 a6 df 17 00 00 00 00 76 ff ff ff 36 e3 63 4a   ........v...6.cJ
03d0  de 71 01 22 59 06 72 9e 20 f0 d7 bc 00 00 00 00   .q."Y.r. .......
03e0  30 4c a0 03 02 01 01 a1 45 04 43 30 41 30 3f a0   0L......E.C0A0?.
03f0  04 02 02 00 8d a1 37 04 35 30 33 30 31 a0 03 02   ......7.50301...
0400  01 00 a1 2a 04 28 00 00 00 00 00 30 00 00 24 7b   ...*.(.....0..${
0410  e4 49 e7 d1 91 2e 77 9f 2a 93 cc 03 cf ca 55 e5   .I....w.*.....U.
0420  8a 4e 4c f5 da cd 8b 6f 7a 58 78 db e4 03 89 18   .NL....ozXx.....
0430  36 f2 27 24 29 00 00 00 f8 ed aa 08 70 71 ce b5   6.'$).......pq..
0440  3c e2 d7 3e 26 86                                 <..>&.

Decrypted Krb5 (217 bytes):

0000  62 81 be 30 81 bb a0 03 02 01 05 a1 0c 1b 0a 56   b..0...........V
0010  53 4f 46 53 38 2e 43 4f 4d a2 1a 30 18 a0 03 02   SOFS8.COM..0....
0020  01 01 a1 11 30 0f 1b 0d 41 64 6d 69 6e 69 73 74   ....0...Administ
0030  72 61 74 6f 72 a3 25 30 23 a0 05 02 03 00 80 03   rator.%0#.......
0040  a1 1a 04 18 10 00 00 00 00 00 00 00 00 00 00 00   ................
0050  00 00 00 00 00 00 00 00 22 00 00 00 a4 03 02 01   ........".......
0060  2d a5 11 18 0f 32 30 30 38 30 38 31 34 30 33 31   -....20080814031
0070  34 30 34 5a a6 1b 30 19 a0 03 02 01 17 a1 12 04   404Z..0.........
0080  10 25 9b 2e 38 5e cf 37 e0 94 26 a7 53 b9 a8 05   .%..8^.7..&.S...
0090  7f a7 06 02 04 4f 59 0a 4f a8 26 30 24 30 22 a0   .....OY.O.&0$0".
00a0  03 02 01 01 a1 1b 04 19 30 17 30 15 a0 04 02 02   ........0.0.....
00b0  00 81 a1 0d 04 0b 30 09 02 01 12 02 01 11 02 01   ......0.........
00c0  17 00 00 00 21 00 00 00 50 00 00 00 a0 33 21 08   ....!...P....3!.
00d0  50 34 21 08 e8 34 21 08 50                        P4!..4!.P




On Thu, Aug 28, 2008 at 4:12 AM, Richard Guthrie <rguthrie at microsoft.com> wrote:
> Resending as I have not heard back from Ronnie on this.
>
> Richard Guthrie
> Open Protocols Support Team
> Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
> Tel: +1 (469) 775-7794
> E-mail: rguthrie at microsoft.com
> We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted
>
>
> -----Original Message-----
> From: Richard Guthrie
> Sent: Monday, August 25, 2008 9:30 AM
> To: 'ronnie sahlberg'
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: RE: Request for fix to MS-PAC
>
> Ronnie, can you send over a network trace (Wireshark or Netmon 3 format preferred) that shows the behavior you describe for items 1 and 4?  I will continue to investigate your list of questions and get back to you shortly.
>
> Richard Guthrie
> Open Protocols Support Team
> Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
> Tel: +1 (469) 775-7794
> E-mail: rguthrie at microsoft.com
> We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted
>
>
> -----Original Message-----
> From: ronnie sahlberg [mailto:ronniesahlberg at gmail.com]
> Sent: Sunday, August 24, 2008 8:54 PM
> To: Richard Guthrie
> Cc: pfif at tridgell.net; cifs-protocol at samba.org
> Subject: Re: Request for fix to MS-PAC
>
> Hi,
>
> Thanks for the reply.
>
> However,
> In my traces there is a difference compared yo your description :
>
> Between DnsOffset and the start of the UPN field there are 8 bytes.
> Not 4 bytes as your description suggests.
>
> Additionally it is stated that the 4 flag bytes must be 0, which they
> are not in my trace.
>
>
>
> Please,
> 1, investigate whether there will be 4 or 8 bytes between the
> DnsOffset and the UPN field.
> 2, since this is not NDR encoded, please explain what the alignment
> rules are for the UPN and DNS fields.
> 3, Are UPN and DNS fields null terminated or not?
> 4, Please explain the flag bits.   My traces show flags with the
> values 0x01 0x00 0x00 0x00
>
> 5, Also please describe the sequence how a client will request that a
> KDC to create a ticket containing this new
> pac blob. I.e. what exactly need an initiator do to request that the
> KDC will add this to the pac?
>
>
>
> regards
> ronnie sahlberg
>
>
>
> On Fri, Aug 22, 2008 at 8:02 AM, Richard Guthrie <rguthrie at microsoft.com> wrote:
>> Ronnie,
>>
>> Thank you for your question.  We have completed our review and agree this was missing from the documentation.  It will be corrected in a future version of the documentation but I wanted to provide you with the missing information.  The updates that will be added to the documentation are listed below.
>>
>> The ulType field will have a flag added for 0x0000000C and its meaning will be as follows:
>>
>>
>>        UPN and DNS information (section 2.10). PAC structures SHOULD contain zero or one buffer of this type. Additional UPN and DNS information buffers               MUST be ignored.
>>
>>        A section will be added to section 2 Structures entitled UPN_DNS_INFO.  Here is the added text:
>>
>>        2.10        UPN_DNS_INFO
>>        The UPN_DNS_INFO structure contains the client's UPN and DNS name. It is used to provide the UPN and DNS name that corresponds to the client of the             ticket. The UPN_DNS_INFO structure is placed directly after the Buffers array of the topmost PACTYPE structure, at the offset specified in the  Offset field of the corresponding PAC_INFO_BUFFER structure in the Buffers array. The ulType field of the corresponding PAC_INFO_BUFFER is set  to      0x0000000C.
>>
>>
>>        UpnLength (2 bytes):  An unsigned 16-bit integer in little-endian format that specifies the length, in bytes, of the UPN field.
>>
>>        UpnOffset (2 bytes):  An unsigned 16-bit integer in little-endian format that contains the offset to the beginning of the buffer, in bytes, from        the beginning of the UPN_DNS_INFO structure.
>>
>>        DnsDomainNameLength (2 bytes):  An unsigned 16-bit integer in little-endian format that specifies the length, in bytes, of the DnsDomainName field.
>>
>>        DnsOffset (2 bytes):  An unsigned 16-bit integer in little-endian format that contains the offset to the beginning of the buffer, in bytes, from        the beginning of the UPN_DNS_INFO structure.
>>
>>      Flags (4 bytes):  An unsigned 32-bit integer in little-endian format that MUST be 0.
>>
>> Please let us know if you have any further questions.
>>
>> Richard Guthrie
>> Open Protocols Support Team
>> Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
>> Tel: +1 (469) 775-7794
>> E-mail: rguthrie at microsoft.com
>> We're hiring http://members.microsoft.com/careers/search/details.aspx?JobID=A976CE32-B0B9-41E3-AF57-05A82B88383E&start=1&interval=10&SortCol=DatePosted
>> -----Original Message-----
>> From: ronnie sahlberg [mailto:ronniesahlberg at gmail.com]
>> Sent: Thursday, August 14, 2008 3:11 AM
>> To: Interoperability Documentation Help
>> Cc: pfif at tridgell.net; cifs-protocol at samba.org
>> Subject: Request for fix to MS-PAC
>>
>> Hi,
>>
>> I am a pfif subcontractor.
>>
>> Using Vista workstation joined to a W2008 domain we have observed a
>> new undocumented PAC_INFO_BUFFER type : type 12.
>>
>> The MS-PAC document only documents types 1,2,6,7,10 and 11.
>>
>>
>> Please provide documentation of PAC_INFO_BUFFER type 12.
>>
>>
>> regards
>> ronnie sahlberg
>>
>>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: SRX080814600310.zip
Type: application/x-zip-compressed
Size: 124016 bytes
Desc: SRX080814600310.zip
Url : http://lists.samba.org/archive/cifs-protocol/attachments/20080922/f0ad8362/SRX080814600310-0001.bin


More information about the cifs-protocol mailing list