[cifs-protocol] GUI and AD LDAP settings required to enable FAST

Stefan Metzmacher metze at samba.org
Tue Apr 27 06:31:57 UTC 2021

Hi Andrew,

I think I looked at this document:

It talks about the "KDC support for claims, compound authentication, and Kerberos armoring KDC"
and "Kerberos client support for claims, compound authentication and Kerberos armoring"
administrative template policies and 4 possible configurations.

I used this to create the captures for this presenation:
See slides 21-23. I can provide the raw captures with a keytab...

Please be aware of the WIP merge request:

python/samba/tests/krb5/as_req_tests.py is the relevant part
as well as the get_*_creds() helpers in
there _generic_kdc_exchange() and the _test_as_exchange() helpers
make it easy to also check the encrypted parts of the exchange.

_test_as_req_enc_timestamp() demonstrates a simple password based
authentication and checks almost every field in the response (also
in the encrypted parts and cross checks encrypted and plain fields)
checking the PAC including the signatures shouldn't be that complex.
Also extending it to do FAST and regenerate the same packets as
seen in the windows to windows captures.


Am 27.04.21 um 07:28 schrieb Andrew Bartlett via cifs-protocol:
> G'Day Dochelp,
> Gary (CCed) has been building on Samba's raw protocol testsuite for
> Kerberos to include tests for the new FAST protection for the AS-REQ /
> TGS-REQ etc.
> However despite provisioning a domain (and new forest) in Windows 2016
> functional level and setting the group polity settings to enable FAST,
> he has not been having any success.
> I have to say I was a little surprised, I thought it would be on
> automatically one the functional level was reached (being such an
> important security upgrade and all). 
> Despite Gary's best efforts, he hasn't been able to get FAST enabled
> when talking to his (manually ASN.1 marshalled python-based) test
> client.
> Also, for interoperability in a mixed-implementation domain, it will be
> important for Samba to honour the same domain-wide state to learn if we
> should enable FAST.  Presumably, like for password policies, the GPO is
> adjusting a setting in LDAP?
> If you could let us know the GUI settings (GPOs I think) and the
> matching/underlying LDAP behaviours that would be really helpful. 
> Please feel free to ask Gary for any further details you need, as he is
> most keen to get an example Windows server running so he can complete
> the tests. 
> Thanks!
> Andrew Bartlett

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20210427/ee0cc32c/OpenPGP_signature.sig>

More information about the cifs-protocol mailing list