[cifs-protocol] Please clarify LSA and OsVersion behaviour in MS-NRPC (SRX090727600015)

Bill Wesse billwe at microsoft.com
Wed Aug 26 07:04:59 MDT 2009

I will look into Windows 2008 behavior on this and get back to you as soon as I can; I expect to be able to start later today.

Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, August 25, 2009 8:35 PM
To: Bill Wesse
Cc: cifs-protocol at samba.org; pfif at tridgell.net; Matthias Dieter Wallnöfer
Subject: RE: [cifs-protocol] Please clarify LSA and OsVersion behaviour in MS-NRPC (SRX090727600015)

On Tue, 2009-08-25 at 07:04 -0700, Bill Wesse wrote:
> Good morning Andrew. Thanks for your feedback. I have interpolated available information below.
> >> Andrew - I think I might have missed a previous email of yours. If so, I offer my apologies.
> >> 
> >> The actual Windows behavior is - as Matthias noted previously - 
> >> that NetrLogonGetDomainInfo bypasses the servicePrincipalName 
> >> constraints (which are documented in [MS-ADTS]
> >
> >OK, When will this security bug be addressed?  I thought I saw a difference in this behaviour for Windows 2008 - >honestly I was expecting 'Windows 2008 fixed this' as your reply. 
> This is currently 'work-in-progress', and I will update you as soon as I have information. My understanding is that this is not an issue with releases after Windows 2003 (which matches with your comments concerning Windows 2008).

Great.  Can you give me the exact rules as they apply to Windows 2008 then?  I can work from them to fix this up to match Windows 2008 behaviour (which was my original goal, but wasn't what Matthias wrote the code to match).

> >> We are currently working on which document this should be addressed 
> >> in ([MS-ADTS] or [MS-NRPC]). I expect that [MS-NRPC] is not the 
> >> correct place, since SPN validation is carried out by Active 
> >> Directory, outside the scope of the NetLogon protocol. I do not yet 
> >> have any information concerning whether or not any product bugs 
> >> will be filed, but I have alerted the appropriate folks here at 
> >> Microsoft. That may impact any forthcoming Windows Behavior notes.
> >OK.  I would appreciate an update on what the expected long-term 
> >behaviour of Microsoft products will be, so we >know what we must 
> >emulate.  (Oh the joys of bug-for-bug compatibility)
> Some of this will depend on Windows 2003 and earlier bug/fix details. I will keep you advised!
> >Thanks for the detail.  I look forward to being able to use it some 
> >day :-)
> My pleasure!


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the cifs-protocol mailing list