[cifs-protocol] [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO

Uri Simchoni uri at samba.org
Sat May 7 08:44:49 UTC 2016


One last thing - for the sake of reproducing the issue in the future or
as a workaround, is there a way to control the RODC id when promoting a
server to RODC (i.e. to make the rodc id < 32768 or >= 32768)?

Thanks,
Uri.
On 05/06/2016 08:31 PM, Edgar Olougouna wrote:
> Uri,
> Windows KILE key version numbers are signed 32-bit integers. Windows KDC does not accept 5 bytes Kvno and does not return errors on “malformed” packets as that can be used to setup a DoS flood attack. 
> The first 16 bits of the kvno, including the most significant bit, are an unsigned 16-bit number that SHOULD identify the RODC (if it’s RODC). The remaining 16 bits SHOULD be the version number of the key.
> KILE has a deviation from [RFC4120] which defines kvno as Uint32. 
> For interop, MIT implementation also uses the signed 32-bit integer.
> 
> Maybe I use add a few lines to my blog.
> https://blogs.msdn.microsoft.com/openspecification/2011/05/11/notes-on-kerberos-kvno-in-windows-rodc-environment/
> 
> 
> Thanks,
> Edgar
> 
> -----Original Message-----
> From: Edgar Olougouna 
> Sent: Friday, May 6, 2016 10:57 AM
> To: Uri Simchoni <uri at samba.org>
> Cc: cifs-protocol at lists.samba.org; Ralph Böhme <slow at samba.org>; MSSolve Case Email <casemail at microsoft.com>
> Subject: RE: [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO
> 
> Uri,
> I am reviewing this and will follow-up soon.
> 
> Thanks,
> Edgar
> 
> -----Original Message-----
> From: Kamil Sykora 
> Sent: Thursday, May 5, 2016 8:13 PM
> To: Uri Simchoni <uri at samba.org>
> Cc: cifs-protocol at lists.samba.org; Ralph Böhme <slow at samba.org>; MSSolve Case Email <casemail at microsoft.com>
> Subject: RE: [REG: 116050614132786] [MS-KILE] - DER encoding of KVNO
> 
> [BCC: dochelp, CC: casemail]
> 
> Hello Uri,
> 
> Thank you for your question. I have created incident 116050614132786 to track your issue. One of our team members will contact you shortly.
> 
> Thanks,
> Kamil
>  
> Kamil Sykora
> Microsoft Open Specifications
> 
> 
> -----Original Message-----
> From: Uri Simchoni [mailto:uri at samba.org] 
> Sent: Thursday, May 5, 2016 5:26 PM
> To: Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: cifs-protocol at lists.samba.org; Ralph Böhme <slow at samba.org>
> Subject: [MS-KILE] - DER encoding of KVNO
> 
> 
> Hi,
> 
> This is in reference to Samba bug
> https://bugzilla.samba.org/show_bug.cgi?id=11900. I seek clarification on encoding of Kerberos tickets.
> 
> We've found that when generating a TGS request, the Kerberos library that's bundled with Samba encodes a KVNO larger than 0x7fffffff using  5 bytes, and this seems to upset Windows domain controllers (2003R2 and 2008R2), which seem to expect a maximum of 4 bytes in the KVNO. We've demonstrated that encoding the KVNO in 4 bytes fixes the issue.
> 
> We easily get to such high KVNO when working against an RODC which is configured to cache our machine account password. In that case the TGT we get has a high KVNO because it's made up of two fields. It appears that we decode and re-encode the TGT (the unencrypted parts) before sending it in a TGS-REQ.
> 
> According to RFC 4120, a KVNO is an unsigned 32-bit integer, and according to DER, such an integer in the range of 0x80000000-0xFFFFFFFF has to be encoded using 5 bytes, so it seems Samba's in compliance with the standard here.
> 
> Can you confirm that Windows expects up to 4 bytes in the KVNO? If yes, can it be said that Windows is too restrictive here?
> 
> Thanks,
> Uri.
> 




More information about the cifs-protocol mailing list