[cifs-protocol] Windows Server 2025 regression with KPASSWD protocol response

Alexander Bokovoy ab at samba.org
Sat Dec 14 09:07:04 UTC 2024


Hello Dochelp!

It was brought to our attention that Windows Server 2025-based Active
Directory domain controllers appear to regress in handling KPASSWD
protocol. Namely, a password change request is being processed and a
password of an Active Directory account has been changed but the
response produced by the domain controller is Kerberos error with code
0, explicitly not allowed by the RFC3244 describing Microsoft KPASSWD
protocol.

There is an issue reported upstream to adcli utility which performs
Linux system domain join. As a part of the join process, we set a new
credential to the machine account. The machine account credential is
updated in AD but the response contains this KPASSWD error response with
result code 0

103     3.624528        192.168.122.48  192.168.122.109 KPASSWD 1742    Request
(attached file)

106     3.709703        192.168.122.109 192.168.122.48  KPASSWD 165
Kerberos
    krb-error
        pvno: 5
        msg-type: krb-error (30)
        stime: Dec 13, 2024 02:55:10.000000000 EET
        susec: 213134
        error-code: eRR-NONE (0)
        realm: FOREST.MY
        sname
            name-type: kRB5-NT-SRV-INST (2)
            sname-string: 2 items
                SNameString: kadmin
                SNameString: changepw
        e-data: 0000

This issue was also reported by Windows Insiders in June 2024:
https://techcommunity.microsoft.com/discussions/windowsserverinsiders/problems-to-join-debianubuntu-machines-to-a-domain/4158051

The message they reported is the same. The issue 'Message stream
modified' is due to MIT Kerberos processing the returned Kerberos error
with result code 0 and rejecting it according to the RFC 3244.

Since Kerberos errors aren't protected from mid-stream modifications,
RFC 3244 explicitly states in the section 2, describing the protocol,
that:

----------------------------------------------
   The user-data component of the KRB-PRIV message, or e-data component
   of the KRB-ERROR message, consists of the following data.

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |          result code          |        result string          /
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   result code (16 bits) (result codes 0-4 are from the original change
   password protocol):

      The result code must have one of the following values
      (big-endian integer):

      KRB5_KPASSWD_SUCCESS             0 request succeeds (This value
                                         is not allowed in a KRB-ERROR
                                         message)
----------------------------------------------

I can provide a network trace and a keytab that shows the whole
communication during the domain join operation, including this kpasswd
exchange. However, I've been told the same situation happens with a
normal user account password change against Windows Server 2025 AD DC as
well.

If this is an implementation regression, would you please consult with
the engineering team on Windows Server side. However, if this is a
protocol change, can we see the changes documented?

-- 
/ Alexander Bokovoy
-------------- next part --------------
MS Kpasswd
    Record Mark: 1672 bytes
        0... .... .... .... .... .... .... .... = Reserved: Not set
        .000 0000 0000 0000 0000 0110 1000 1000 = Record Length: 1672
    Message Length: 1672
    Version: Request (0xff80)
    AP_REQ Length: 1411
    AP_REQ
        Kerberos
            ap-req
                pvno: 5
                msg-type: krb-ap-req (14)
                Padding: 0
                ap-options: 00000000
                    0... .... = reserved: False
                    .0.. .... = use-session-key: False
                    ..0. .... = mutual-required: False
                ticket
                    tkt-vno: 5
                    realm: FOREST.MY
                    sname
                        name-type: kRB5-NT-PRINCIPAL (1)
                        sname-string: 2 items
                            SNameString: kadmin
                            SNameString: changepw
                    enc-part
                        etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                        kvno: 2
                        cipher [?]: 25222195658650c8c14e1eac23a50ab6f8fe7296fd1f2f86a66c58d554960fabb3c1a2093dba37b85576e467c4a452d3649c3eea0118fc2981f46f1790a2d71a94e07477a80d86d1abe863b365a5488495acdeb6f89ad8b2ebc1406a7a4b1cfc62c9c767bdd8cb1b1e519c9fb48c9ca57
                            Decrypted keytype 18 usage 2 using keytab principal krbtgt at FOREST.MY (id=keytab.13 same=0) (f062e2a4...)
                                [Expert Info (Chat/Security): Decrypted keytype 18 usage 2 using keytab principal krbtgt at FOREST.MY (id=keytab.13 same=0) (f062e2a4...)]
                                    [Decrypted keytype 18 usage 2 using keytab principal krbtgt at FOREST.MY (id=keytab.13 same=0) (f062e2a4...)]
                                    [Severity level: Chat]
                                    [Group: Security]
                                [Expert Info (Chat/Security): Used keymap=all_keys num_keys=46 num_tries=12)]
                                    [Used keymap=all_keys num_keys=46 num_tries=12)]
                                    [Severity level: Chat]
                                    [Group: Security]
                            encTicketPart
                                Padding: 0
                                flags: 40a10000
                                    0... .... = reserved: False
                                    .1.. .... = forwardable: True
                                    ..0. .... = forwarded: False
                                    ...0 .... = proxiable: False
                                    .... 0... = proxy: False
                                    .... .0.. = may-postdate: False
                                    .... ..0. = postdated: False
                                    .... ...0 = invalid: False
                                    1... .... = renewable: True
                                    .0.. .... = initial: False
                                    ..1. .... = pre-authent: True
                                    ...0 .... = hw-authent: False
                                    .... 0... = transited-policy-checked: False
                                    .... .0.. = ok-as-delegate: False
                                    .... ..0. = unused: False
                                    .... ...1 = enc-pa-rep: True
                                    0... .... = anonymous: False
                                key
                                    Learnt encTicketPart_key keytype 18 (id=103.1) (268fc3fa...)
                                        [Expert Info (Chat/Security): Learnt encTicketPart_key keytype 18 (id=103.1) (268fc3fa...)]
                                            [Learnt encTicketPart_key keytype 18 (id=103.1) (268fc3fa...)]
                                            [Severity level: Chat]
                                            [Group: Security]
                                    keytype: 18
                                    keyvalue: 268fc3fa0c9ffed70445b36488e8df2ee88b7db0f3bdf8c212cbad007c142a74
                                crealm: FOREST.MY
                                cname
                                    name-type: kRB5-NT-PRINCIPAL (1)
                                    cname-string: 1 item
                                        CNameString: Administrator
                                transited
                                    tr-type: 1
                                    contents: <MISSING>
                                authtime: Dec 13, 2024 02:55:09.000000000 EET
                                starttime: Dec 13, 2024 02:55:09.000000000 EET
                                endtime: Dec 13, 2024 02:57:09.000000000 EET
                                renew-till: Dec 13, 2024 02:57:09.000000000 EET
                                authorization-data: 1 item
                                    AuthorizationData item
                                        ad-type: aD-IF-RELEVANT (1)
                                        ad-data [?]: 308203723082036ea00402020080a18203640482036005000000000000000100000020020000580000000000000006000000100000007802000000000000070000001000000088020000000000000a0000002400000098020000000000000c000000a0000000c0020000000000000110
                                            AuthorizationData item
                                                ad-type: aD-WIN2K-PAC (128)
                                                ad-data [?]: 05000000000000000100000020020000580000000000000006000000100000007802000000000000070000001000000088020000000000000a0000002400000098020000000000000c000000a0000000c00200000000000001100800cccccccc1002000000000000000002006a96bda8
                                                    Verified Server checksum 16 keytype 18 using keytab principal krbtgt at FOREST.MY (id=keytab.13 same=0) (f062e2a4...)
                                                        [Expert Info (Chat/Security): Verified Server checksum 16 keytype 18 using keytab principal krbtgt at FOREST.MY (id=keytab.13 same=0) (f062e2a4...)]
                                                            [Verified Server checksum 16 keytype 18 using keytab principal krbtgt at FOREST.MY (id=keytab.13 same=0) (f062e2a4...)]
                                                            [Severity level: Chat]
                                                            [Group: Security]
                                                        [Expert Info (Chat/Security): Used keymap=all_keys num_keys=46 num_tries=12)]
                                                            [Used keymap=all_keys num_keys=46 num_tries=12)]
                                                            [Severity level: Chat]
                                                            [Group: Security]
                                                    Verified KDC checksum 16 keytype 18 using keytab principal krbtgt at FOREST.MY (id=keytab.13 same=0) (f062e2a4...)
                                                        [Expert Info (Chat/Security): Verified KDC checksum 16 keytype 18 using keytab principal krbtgt at FOREST.MY (id=keytab.13 same=0) (f062e2a4...)]
                                                            [Verified KDC checksum 16 keytype 18 using keytab principal krbtgt at FOREST.MY (id=keytab.13 same=0) (f062e2a4...)]
                                                            [Severity level: Chat]
                                                            [Group: Security]
                                                        [Expert Info (Chat/Security): Used keymap=longterm_keys num_keys=32 num_tries=5)]
                                                            [Used keymap=longterm_keys num_keys=32 num_tries=5)]
                                                            [Severity level: Chat]
                                                            [Group: Security]
                                                    Num Entries: 5
                                                    Version: 0
                                                    Type: Logon Info (1)
                                                        Size: 544
                                                        Offset: 88
                                                        PAC_LOGON_INFO [?]: 01100800cccccccc1002000000000000000002006a96bda8f94cdb01ffffffffffffff7fffffffffffffff7f9bb9b6c88a4cdb019b7920f3534ddb01ffffffffffffff7f1a001a00040002000000000008000200000000000c000200000000001000020000000000140002000
                                                            MES header
                                                                Version: 1
                                                                DREP
                                                                    Byte order: Little-endian (1)
                                                                HDR Length: 8
                                                                Fill bytes: 0xcccccccc
                                                                Blob Length: 528
                                                            PAC_LOGON_INFO:
                                                                Referent ID: 0x00020000
                                                                Logon Time: Dec 13, 2024 02:55:09.912637800 EET
                                                                Logoff Time: Infinity (absolute time)
                                                                Kickoff Time: Infinity (absolute time)
                                                                PWD Last Set: Dec 12, 2024 13:41:29.417769100 EET
                                                                PWD Can Change: Dec 13, 2024 13:41:29.417769100 EET
                                                                PWD Must Change: Infinity (absolute time)
                                                                Acct Name: Administrator
                                                                    Length: 26
                                                                    Size: 26
                                                                    Character Array: Administrator
                                                                        Referent ID: 0x00020004
                                                                        Max Count: 13
                                                                        Offset: 0
                                                                        Actual Count: 13
                                                                        Acct Name: Administrator
                                                                Full Name
                                                                    Length: 0
                                                                    Size: 0
                                                                    Character Array
                                                                        Referent ID: 0x00020008
                                                                        Max Count: 0
                                                                        Offset: 0
                                                                        Actual Count: 0
                                                                Logon Script
                                                                    Length: 0
                                                                    Size: 0
                                                                    Character Array
                                                                        Referent ID: 0x0002000c
                                                                        Max Count: 0
                                                                        Offset: 0
                                                                        Actual Count: 0
                                                                Profile Path
                                                                    Length: 0
                                                                    Size: 0
                                                                    Character Array
                                                                        Referent ID: 0x00020010
                                                                        Max Count: 0
                                                                        Offset: 0
                                                                        Actual Count: 0
                                                                Home Dir
                                                                    Length: 0
                                                                    Size: 0
                                                                    Character Array
                                                                        Referent ID: 0x00020014
                                                                        Max Count: 0
                                                                        Offset: 0
                                                                        Actual Count: 0
                                                                Dir Drive
                                                                    Length: 0
                                                                    Size: 0
                                                                    Character Array
                                                                        Referent ID: 0x00020018
                                                                        Max Count: 0
                                                                        Offset: 0
                                                                        Actual Count: 0
                                                                Logon Count: 20
                                                                Bad PW Count: 0
                                                                User RID: 500
                                                                Group RID: 513
                                                                Num RIDs: 5
                                                                GroupIDs
                                                                    Referent ID: 0x0002001c
                                                                    Max Count: 5
                                                                    GROUP_MEMBERSHIP:
                                                                        Group RID: 520
                                                                        Group Attributes: 0x00000007
                                                                            .... .... .... .... .... .... .... ...1 = Mandatory: The MANDATORY bit is SET
                                                                            .... .... .... .... .... .... .... ..1. = Enabled By Default: The ENABLED_BY_DEFAULT bit is SET
                                                                            .... .... .... .... .... .... .... .1.. = Enabled: The ENABLED bit is SET
                                                                            .... .... .... .... .... .... .... 0... = Owner: The owner bit is NOT set
                                                                            ..0. .... .... .... .... .... .... .... = Resource Group: The resource group bit is NOT set
                                                                    GROUP_MEMBERSHIP:
                                                                        Group RID: 512
                                                                        Group Attributes: 0x00000007
                                                                            .... .... .... .... .... .... .... ...1 = Mandatory: The MANDATORY bit is SET
                                                                            .... .... .... .... .... .... .... ..1. = Enabled By Default: The ENABLED_BY_DEFAULT bit is SET
                                                                            .... .... .... .... .... .... .... .1.. = Enabled: The ENABLED bit is SET
                                                                            .... .... .... .... .... .... .... 0... = Owner: The owner bit is NOT set
                                                                            ..0. .... .... .... .... .... .... .... = Resource Group: The resource group bit is NOT set
                                                                    GROUP_MEMBERSHIP:
                                                                        Group RID: 513
                                                                        Group Attributes: 0x00000007
                                                                            .... .... .... .... .... .... .... ...1 = Mandatory: The MANDATORY bit is SET
                                                                            .... .... .... .... .... .... .... ..1. = Enabled By Default: The ENABLED_BY_DEFAULT bit is SET
                                                                            .... .... .... .... .... .... .... .1.. = Enabled: The ENABLED bit is SET
                                                                            .... .... .... .... .... .... .... 0... = Owner: The owner bit is NOT set
                                                                            ..0. .... .... .... .... .... .... .... = Resource Group: The resource group bit is NOT set
                                                                    GROUP_MEMBERSHIP:
                                                                        Group RID: 518
                                                                        Group Attributes: 0x00000007
                                                                            .... .... .... .... .... .... .... ...1 = Mandatory: The MANDATORY bit is SET
                                                                            .... .... .... .... .... .... .... ..1. = Enabled By Default: The ENABLED_BY_DEFAULT bit is SET
                                                                            .... .... .... .... .... .... .... .1.. = Enabled: The ENABLED bit is SET
                                                                            .... .... .... .... .... .... .... 0... = Owner: The owner bit is NOT set
                                                                            ..0. .... .... .... .... .... .... .... = Resource Group: The resource group bit is NOT set
                                                                    GROUP_MEMBERSHIP:
                                                                        Group RID: 519
                                                                        Group Attributes: 0x00000007
                                                                            .... .... .... .... .... .... .... ...1 = Mandatory: The MANDATORY bit is SET
                                                                            .... .... .... .... .... .... .... ..1. = Enabled By Default: The ENABLED_BY_DEFAULT bit is SET
                                                                            .... .... .... .... .... .... .... .1.. = Enabled: The ENABLED bit is SET
                                                                            .... .... .... .... .... .... .... 0... = Owner: The owner bit is NOT set
                                                                            ..0. .... .... .... .... .... .... .... = Resource Group: The resource group bit is NOT set
                                                                User Flags: 0x00000220
                                                                    .... .... .... .... .... ..1. .... .... = Resource Groups: The RESOURCE_GROUPS bit is SET
                                                                    .... .... .... .... .... .... ..1. .... = Extra SIDs: The EXTRA_SIDS bit is SET
                                                                User Session Key: 00000000000000000000000000000000
                                                                Server: WIN-720P3J7PAP3
                                                                    Length: 30
                                                                    Size: 32
                                                                    Character Array: WIN-720P3J7PAP3
                                                                        Referent ID: 0x00020020
                                                                        Max Count: 16
                                                                        Offset: 0
                                                                        Actual Count: 15
                                                                        Server: WIN-720P3J7PAP3
                                                                Domain: FOREST
                                                                    Length: 12
                                                                    Size: 14
                                                                    Character Array: FOREST
                                                                        Referent ID: 0x00020024
                                                                        Max Count: 7
                                                                        Offset: 0
                                                                        Actual Count: 6
                                                                        Domain: FOREST
                                                                SID pointer: S-1-5-21-1191110912-437985896-597071733  (Domain SID)
                                                                    SID pointer: S-1-5-21-1191110912-437985896-597071733  (Domain SID)
                                                                        Referent ID: 0x00020028
                                                                        Count: 4
                                                                        Domain SID: S-1-5-21-1191110912-437985896-597071733  (Domain SID)
                                                                            Revision: 1
                                                                            Num Auth: 4
                                                                            Authority: 5
                                                                            Subauthorities: 21-1191110912-437985896-597071733
                                                                Dummy1 Long: 0x00000000
                                                                Dummy2 Long: 0x00000000
                                                                User Account Control: 0x00000210
                                                                    .... .... .... ...0 .... .... .... .... = Don't Require PreAuth: This account REQUIRES preauthentication
                                                                    .... .... .... .... 0... .... .... .... = Use DES Key Only: This account does NOT have to use_des_key_only
                                                                    .... .... .... .... .0.. .... .... .... = Not Delegated: This might have been delegated
                                                                    .... .... .... .... ..0. .... .... .... = Trusted For Delegation: This account is NOT trusted_for_delegation
                                                                    .... .... .... .... ...0 .... .... .... = SmartCard Required: This account does NOT require_smartcard to authenticate
                                                                    .... .... .... .... .... 0... .... .... = Encrypted Text Password Allowed: This account does NOT allow encrypted_text_password
                                                                    .... .... .... .... .... .0.. .... .... = Account Auto Locked: This account is NOT auto_locked
                                                                    .... .... .... .... .... ..1. .... .... = Don't Expire Password: This account DOESN'T_EXPIRE_PASSWORDs
                                                                    .... .... .... .... .... ...0 .... .... = Server Trust Account: This account is NOT a server_trust_account
                                                                    .... .... .... .... .... .... 0... .... = Workstation Trust Account: This account is NOT a workstation_trust_account
                                                                    .... .... .... .... .... .... .0.. .... = Interdomain trust Account: This account is NOT an interdomain_trust_account
                                                                    .... .... .... .... .... .... ..0. .... = MNS Logon Account: This account is NOT a mns_logon_account
                                                                    .... .... .... .... .... .... ...1 .... = Normal Account: This account is a NORMAL_ACCOUNT
                                                                    .... .... .... .... .... .... .... 0... = Temp Duplicate Account: This account is NOT a temp_duplicate_account
                                                                    .... .... .... .... .... .... .... .0.. = Password Not Required: This account REQUIRES a password
                                                                    .... .... .... .... .... .... .... ..0. = Home Directory Required: This account does NOT require_home_directory
                                                                    .... .... .... .... .... .... .... ...0 = Account Disabled: This account is NOT disabled
                                                                Dummy4 Long: 0x00000000
                                                                Dummy5 Long: 0x00000000
                                                                Dummy6 Long: 0x00000000
                                                                Dummy7 Long: 0x00000000
                                                                Dummy8 Long: 0x00000000
                                                                Dummy9 Long: 0x00000000
                                                                Dummy10 Long: 0x00000000
                                                                Num Extra SID: 1
                                                                SID_AND_ATTRIBUTES_ARRAY:
                                                                    Referent ID: 0x0002002c
                                                                    SID_AND_ATTRIBUTES array:
                                                                        Max Count: 1
                                                                        SID_AND_ATTRIBUTES:
                                                                            SID pointer: S-1-18-1  (Authentication Authority Asserted Identity)
                                                                                SID pointer: S-1-18-1  (Authentication Authority Asserted Identity)
                                                                                    Referent ID: 0x00020030
                                                                                    Count: 1
                                                                                    Domain SID: S-1-18-1  (Authentication Authority Asserted Identity)
                                                                                        Revision: 1
                                                                                        Num Auth: 1
                                                                                        Authority: 18
                                                                                        Subauthorities: 1
                                                                            Group Attributes: 0x00000007
                                                                                .... .... .... .... .... .... .... ...1 = Mandatory: The MANDATORY bit is SET
                                                                                .... .... .... .... .... .... .... ..1. = Enabled By Default: The ENABLED_BY_DEFAULT bit is SET
                                                                                .... .... .... .... .... .... .... .1.. = Enabled: The ENABLED bit is SET
                                                                                .... .... .... .... .... .... .... 0... = Owner: The owner bit is NOT set
                                                                                ..0. .... .... .... .... .... .... .... = Resource Group: The resource group bit is NOT set
                                                                ResourceGroupIDs
                                                                    SID pointer: S-1-5-21-1191110912-437985896-597071733  (Domain SID)
                                                                        SID pointer: S-1-5-21-1191110912-437985896-597071733  (Domain SID)
                                                                            Referent ID: 0x00020034
                                                                            Count: 4
                                                                            Domain SID: S-1-5-21-1191110912-437985896-597071733  (Domain SID)
                                                                                Revision: 1
                                                                                Num Auth: 4
                                                                                Authority: 5
                                                                                Subauthorities: 21-1191110912-437985896-597071733
                                                                    ResourceGroup count: 1
                                                                    GroupIDs
                                                                        Referent ID: 0x00020038
                                                                        Max Count: 1
                                                                        GROUP_MEMBERSHIP:
                                                                            Group RID: 572
                                                                            Group Attributes: 0x20000007
                                                                                .... .... .... .... .... .... .... ...1 = Mandatory: The MANDATORY bit is SET
                                                                                .... .... .... .... .... .... .... ..1. = Enabled By Default: The ENABLED_BY_DEFAULT bit is SET
                                                                                .... .... .... .... .... .... .... .1.. = Enabled: The ENABLED bit is SET
                                                                                .... .... .... .... .... .... .... 0... = Owner: The owner bit is NOT set
                                                                                ..1. .... .... .... .... .... .... .... = Resource Group: The RESOURCE GROUP bit is SET
                                                    Type: Server Checksum (6)
                                                        Size: 16
                                                        Offset: 632
                                                        PAC_SERVER_CHECKSUM: 100000008e288bfb8354a76d5b95dcda
                                                            Type: 16
                                                            Signature: 8e288bfb8354a76d5b95dcda
                                                    Type: Privsvr Checksum (7)
                                                        Size: 16
                                                        Offset: 648
                                                        PAC_PRIVSVR_CHECKSUM: 10000000d559491be8012254716dbc0b
                                                            Type: 16
                                                            Signature: d559491be8012254716dbc0b
                                                    Type: Client Info Type (10)
                                                        Size: 36
                                                        Offset: 664
                                                        PAC_CLIENT_INFO_TYPE: 805432a8f94cdb011a00410064006d0069006e006900730074007200610074006f007200
                                                            ClientID: Dec 13, 2024 02:55:09.000000000 EET
                                                            Name Length: 26
                                                            Name: Administrator
                                                    Type: UPN DNS Info (12)
                                                        Size: 160
                                                        Offset: 704
                                                        UPN_DNS_INFO [?]: 2e00180012004800030000001a0060001c00800000000000410064006d0069006e006900730074007200610074006f007200400066006f0072006500730074002e006d007900000046004f0052004500530054002e004d005900000000000000410064006d0069006e006900730
                                                            UPN Len: 46
                                                            UPN Offset: 24
                                                            DNS Len: 18
                                                            DNS Offset: 72
                                                            Flags: 0x00000003, UPN Name Constructed, SAM_NAME and SID Included
                                                                .... .... .... .... .... .... .... ...1 = UPN Name Constructed: UPN Name is Constructed
                                                                .... .... .... .... .... .... .... ..1. = SAM_NAME and SID Included: SAM_NAME and SID are included
                                                            sAMAccountName Len: 26
                                                            sAMAccountName Offset: 96
                                                            objectSid Len: 28
                                                            objectSid Offset: 128
                                                            UPN Name: Administrator at forest.my
                                                            DNS Name: FOREST.MY
                                                            sAMAccountName: Administrator
                                                            objectSid: S-1-5-21-1191110912-437985896-597071733-500  (Domain SID-Administrator)
                                                                Revision: 1
                                                                Num Auth: 5
                                                                Authority: 5
                                                                Subauthorities: 21-1191110912-437985896-597071733-500
                                                                RID: 500  (Administrator)
                authenticator
                    etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                    cipher [?]: b94aed41c599abc5894ffb70a6c751071210ea134f0e8f57ef11c3126f7a16cc43a8bc300ef7b5685707ff198598b17a421a28e4f4f96a3f9c2b6f24626c7123b533d17f05f8bd2d7ec0c018c2a792aa12d48ac28169d6a65c366d8f284b6c0e311ebe78911a3d76ebc7961a5f4e2c8d1
                        Decrypted keytype 18 usage 11 using learnt encTicketPart_key in frame 91 (id=91.2 same=2) (268fc3fa...)
                            [Expert Info (Chat/Security): Decrypted keytype 18 usage 11 using learnt encTicketPart_key in frame 91 (id=91.2 same=2) (268fc3fa...)]
                                [Decrypted keytype 18 usage 11 using learnt encTicketPart_key in frame 91 (id=91.2 same=2) (268fc3fa...)]
                                [Severity level: Chat]
                                [Group: Security]
                            [Expert Info (Chat/Security): Used keymap=all_keys num_keys=46 num_tries=11)]
                                [Used keymap=all_keys num_keys=46 num_tries=11)]
                                [Severity level: Chat]
                                [Group: Security]
                            [Expert Info (Chat/Security): Decrypted keytype 18 usage 11 using learnt encTGSRepPart_key in frame 91 (id=91.4 same=1) (268fc3fa...)]
                                [Decrypted keytype 18 usage 11 using learnt encTGSRepPart_key in frame 91 (id=91.4 same=1) (268fc3fa...)]
                                [Severity level: Chat]
                                [Group: Security]
                            [Expert Info (Chat/Security): Decrypted keytype 18 usage 11 using learnt encTicketPart_key in frame 103 (id=103.1 same=0) (268fc3fa...)]
                                [Decrypted keytype 18 usage 11 using learnt encTicketPart_key in frame 103 (id=103.1 same=0) (268fc3fa...)]
                                [Severity level: Chat]
                                [Group: Security]
                        authenticator
                            authenticator-vno: 5
                            crealm: FOREST.MY
                            cname
                                name-type: kRB5-NT-PRINCIPAL (1)
                                cname-string: 1 item
                                    CNameString: Administrator
                            cusec: 143833
                            ctime: Dec 13, 2024 02:55:09.000000000 EET
                            subkey
                                Learnt authenticator_subkey keytype 18 (id=103.2) (8b4caf1b...)
                                    [Expert Info (Chat/Security): Learnt authenticator_subkey keytype 18 (id=103.2) (8b4caf1b...)]
                                        [Learnt authenticator_subkey keytype 18 (id=103.2) (8b4caf1b...)]
                                        [Severity level: Chat]
                                        [Group: Security]
                                keytype: 18
                                keyvalue: 8b4caf1ba85cad7aefcb1f18e47fcf6c8df6753147c6fb5ed786b62f019eb339
            Provides learnt encTicketPart_key in frame 103 keytype 18 (id=103.1 same=0) (268fc3fa...)
                [Expert Info (Chat/Security): Provides learnt encTicketPart_key in frame 103 keytype 18 (id=103.1 same=0) (268fc3fa...)]
                    [Provides learnt encTicketPart_key in frame 103 keytype 18 (id=103.1 same=0) (268fc3fa...)]
                    [Severity level: Chat]
                    [Group: Security]
            Provides learnt authenticator_subkey in frame 103 keytype 18 (id=103.2 same=0) (8b4caf1b...)
                [Expert Info (Chat/Security): Provides learnt authenticator_subkey in frame 103 keytype 18 (id=103.2 same=0) (8b4caf1b...)]
                    [Provides learnt authenticator_subkey in frame 103 keytype 18 (id=103.2 same=0) (8b4caf1b...)]
                    [Severity level: Chat]
                    [Group: Security]
            Used keytab principal krbtgt at FOREST.MY keytype 18 (id=keytab.13 same=0) (f062e2a4...)
                [Expert Info (Chat/Security): Used keytab principal krbtgt at FOREST.MY keytype 18 (id=keytab.13 same=0) (f062e2a4...)]
                    [Used keytab principal krbtgt at FOREST.MY keytype 18 (id=keytab.13 same=0) (f062e2a4...)]
                    [Severity level: Chat]
                    [Group: Security]
            Used learnt encTicketPart_key in frame 91 keytype 18 (id=91.2 same=2) (268fc3fa...)
                [Expert Info (Chat/Security): Used learnt encTicketPart_key in frame 91 keytype 18 (id=91.2 same=2) (268fc3fa...)]
                    [Used learnt encTicketPart_key in frame 91 keytype 18 (id=91.2 same=2) (268fc3fa...)]
                    [Severity level: Chat]
                    [Group: Security]
                [Expert Info (Chat/Security): Used learnt encTGSRepPart_key in frame 91 keytype 18 (id=91.4 same=1) (268fc3fa...)]
                    [Used learnt encTGSRepPart_key in frame 91 keytype 18 (id=91.4 same=1) (268fc3fa...)]
                    [Severity level: Chat]
                    [Group: Security]
                [Expert Info (Chat/Security): Used learnt encTicketPart_key in frame 103 keytype 18 (id=103.1 same=0) (268fc3fa...)]
                    [Used learnt encTicketPart_key in frame 103 keytype 18 (id=103.1 same=0) (268fc3fa...)]
                    [Severity level: Chat]
                    [Group: Security]
    KRB-PRIV
        Kerberos
            krb-priv
                pvno: 5
                msg-type: krb-priv (21)
                enc-part
                    etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
                    cipher [?]: 3ee1c1ae0c798097d5dd88e15e1884d4ab75b8e39d0b65dfe528d7a444e2baeba0a0b9a5273f3c232259cfac162b67e82b85b71b1e980f8119be19874e67753cfd38395cb56501c3900d33945c8f6ee58274ab04b11cd986dda6f744f828e822b1368f3630066030b07deded4d5365d1d
                        Decrypted keytype 18 usage 13 using learnt authenticator_subkey in frame 103 (id=103.2 same=0) (8b4caf1b...)
                            [Expert Info (Chat/Security): Decrypted keytype 18 usage 13 using learnt authenticator_subkey in frame 103 (id=103.2 same=0) (8b4caf1b...)]
                                [Decrypted keytype 18 usage 13 using learnt authenticator_subkey in frame 103 (id=103.2 same=0) (8b4caf1b...)]
                                [Severity level: Chat]
                                [Group: Security]
                            [Expert Info (Chat/Security): Used keymap=all_keys num_keys=46 num_tries=14)]
                                [Used keymap=all_keys num_keys=46 num_tries=14)]
                                [Severity level: Chat]
                                [Group: Security]
                        encKrbPrivPart 192.168.122.48
                            user-data [?]: 3081a2a07a0478256f734650754231303e333f787a5671233b635367303a7378365f497537735d29503969237177763e4867634a557a5b3740716f28356376332d484265793d34233476585f475d41433826256654284a702d4278366d465f4a3074624b4f5a4d3850695e72685044
                            ChangePasswdData
                                newpasswd [?]: 256f734650754231303e333f787a5671233b635367303a7378365f497537735d29503969237177763e4867634a557a5b3740716f28356376332d484265793d34233476585f475d41433826256654284a702d4278366d465f4a3074624b4f5a4d3850695e726850446149714f344f25
                                targname
                                    name-type: kRB5-NT-PRINCIPAL (1)
                                    name-string: 1 item
                                        KerberosString: LOCALHOST$
                                targrealm: FOREST.MY
                            s-address 192.168.122.48
                                addr-type: iPv4 (2)
                                IP Address: 192.168.122.48
            Used learnt authenticator_subkey in frame 103 keytype 18 (id=103.2 same=0) (8b4caf1b...)
                [Expert Info (Chat/Security): Used learnt authenticator_subkey in frame 103 keytype 18 (id=103.2 same=0) (8b4caf1b...)]
                    [Used learnt authenticator_subkey in frame 103 keytype 18 (id=103.2 same=0) (8b4caf1b...)]
                    [Severity level: Chat]
                    [Group: Security]



More information about the cifs-protocol mailing list