[cifs-protocol] GUI and AD LDAP settings required to enable FAST

Stefan Metzmacher metze at samba.org
Tue Apr 27 10:40:37 UTC 2021

Am 27.04.21 um 11:38 schrieb Andrew Bartlett:
> On Tue, 2021-04-27 at 10:18 +0200, Stefan Metzmacher via cifs-protocol
> wrote:
>> I uploaded the captures here:
>> https://www.samba.org/~metze/presentations/2020/SambaXP/captures/fast/
>> I guess this was the one that finally worked:
>> w2012r2-189-logon-FAST-administrator-w2012r2-l6.base-try-13-client-
>> compound-first-kdc-enabled-compound.pcap.gz
>> wireshark >= 3.3.0 should be able to decrypt and dissect everything
>> using
>> w2012r2-l6.base.keytab.20200422
> Thanks so much metze.  
> Looking at packets 133 -> 156 I think I find the issue Gary was having,
> which is that it looks like the Windows KDC doesn't advertise PA-FX-
> FAST in an AS-REQ PREAUTH_REQUIRED error (RFC 6113 5.4.2).  
> Dochelp,
> Is my understanding correct?  Do clients just need to know out-of-band
> that FAST should be used?  Is there any other easy way to tell that
> FAST is configured correctly and operating?

I guess the client gets it from encrypted-pa-data of frame 125,
as the response to the initial AS-REQ as machine account.
This maybe together with its applied computer GPO's...

But lets see what dochelp finds...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20210427/b981a715/OpenPGP_signature.sig>

More information about the cifs-protocol mailing list