[cifs-protocol] 115070812924583 No mention of deviation from MS-KILE regarding non-gssapi or absent checksums in AP-REQ

Andrew Bartlett abartlet at samba.org
Fri Jul 31 00:48:35 UTC 2015

On Thu, 2015-07-30 at 21:59 +0000, Sreekanth Nadendla wrote:
> Hello Andrew,
>                         Per section 4.1.1 rfc4121, the Authenticator 
> checksum type must be 0x8003 which is GSSAPI checksum. So when you 
> say "is a non-GSSAPI checksum ever checked ?" what do you mean by 
> that ? 
> Are you asking if the checksum is present in AP REQ Authenticator, 
> whether windows verifies if it's type is GSSAPI checksum type 
> (0x8003) ? If so the answer is yes, it does.

If the checksum present, but is not 0x8003, what happens?
Our tests show that a value other than 0x8003 is accepted.  Samba
currently implements that by validating it using the krb5 checksum
routine appropriate to the value, what does windows do?
Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the cifs-protocol mailing list