[cifs-protocol] Please clarify LSA and OsVersion behaviour in MS-NRPC (SRX090727600015)
Andrew Bartlett
abartlet at samba.org
Tue Aug 25 18:35:01 MDT 2009
On Tue, 2009-08-25 at 07:04 -0700, Bill Wesse wrote:
> Good morning Andrew. Thanks for your feedback. I have interpolated available information below.
>
> >> Andrew - I think I might have missed a previous email of yours. If so, I offer my apologies.
> >>
> >> The actual Windows behavior is - as Matthias noted previously - that
> >> NetrLogonGetDomainInfo bypasses the servicePrincipalName constraints
> >> (which are documented in [MS-ADTS] 3.1.1.5.3.1.1.4).
> >
> >OK, When will this security bug be addressed? I thought I saw a difference in this behaviour for Windows 2008 - >honestly I was expecting 'Windows 2008 fixed this' as your reply.
>
> This is currently 'work-in-progress', and I will update you as soon as I have information. My understanding is that this is not an issue with releases after Windows 2003 (which matches with your comments concerning Windows 2008).
Great. Can you give me the exact rules as they apply to Windows 2008
then? I can work from them to fix this up to match Windows 2008
behaviour (which was my original goal, but wasn't what Matthias wrote
the code to match).
> >> We are currently working on which document this should be addressed in
> >> ([MS-ADTS] or [MS-NRPC]). I expect that [MS-NRPC] is not the correct
> >> place, since SPN validation is carried out by Active Directory,
> >> outside the scope of the NetLogon protocol. I do not yet have any
> >> information concerning whether or not any product bugs will be filed,
> >> but I have alerted the appropriate folks here at Microsoft. That may
> >> impact any forthcoming Windows Behavior notes.
>
> >OK. I would appreciate an update on what the expected long-term behaviour of Microsoft products will be, so we >know what we must emulate. (Oh the joys of bug-for-bug compatibility)
>
> Some of this will depend on Windows 2003 and earlier bug/fix details. I will keep you advised!
>
> >Thanks for the detail. I look forward to being able to use it some day :-)
>
> My pleasure!
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20090826/6f757ddd/attachment.pgp>
More information about the cifs-protocol
mailing list