[cifs-protocol] 115070812924583 No mention of deviation from MS-KILE regarding non-gssapi or absent checksums in AP-REQ
Sreekanth Nadendla
srenaden at microsoft.com
Thu Jul 30 21:59:37 UTC 2015
Hello Andrew,
Per section 4.1.1 rfc4121, the Authenticator checksum type must be 0x8003 which is GSSAPI checksum. So when you say "is a non-GSSAPI checksum ever checked ?" what do you mean by that ?
Are you asking if the checksum is present in AP REQ Authenticator, whether windows verifies if it's type is GSSAPI checksum type (0x8003) ? If so the answer is yes, it does.
Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Thursday, July 30, 2015 5:18 PM
To: Sreekanth Nadendla
Cc: cifs-protocol at lists.samba.org; MSSolve Case Email
Subject: Re: 115070812924583 No mention of deviation from MS-KILE regarding non-gssapi or absent checksums in AP-REQ
On Thu, 2015-07-30 at 18:37 +0000, Sreekanth Nadendla wrote:
> Hello Andrew,
> I've verified this and we are adding the following text In MS-KILE
> section "3.4.5 Message Processing Events and Sequencing Rules", to
> explain the deviation you have reported.
>
> When the checksum field is not present, the application server SHOULD
> process the requests as though none of the flags (RFC 4121 section
> 4.1.1.1) are set and SHOULD NOT check channel binding information (RFC
> 4121 section 4.1.2.1).
That is almost correct. It also needs to say 'or if the checksum is not of type GSSAPI_CHECKSUM'. BTW, is a non-GSSAPI checksum ever checked?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list