[cifs-protocol] ServerAuthenticateKerberos() not usable for
Stefan Metzmacher
metze at samba.org
Wed Dec 18 14:59:43 UTC 2024
Hi DocHelp,
while implementing ServerAuthenticateKerberos() in Samba, I found
a strange behavior when using it for TrustedDnsDomainSecureChannel.
When I'm using it as a client the following LogonGetCapabilities()
gets ACCESS_DENIED.
For all other network visible NETLOGON_SECURE_CHANNEL_TYPE values:
WorkstationSecureChannel, ServerSecureChannel, CdcServerSecureChannel
and even TrustedDomainSecureChannel (used for downlevel NT4 trusts)
it works as expected.
I'm testing with a Windows 2025 preview build, but I guess there
are no related changes compared to the final version...
I also noticed that the Windows DC doesn't try to use ServerAuthenticateKerberos()
when connecting to a DC of a trusted domain.
Is this behavior intended?
Is there a flag on the TDO object to allow it to work?
I've attached a network capture that shows the problem.
The problem happens in frames 1528-1531.
All others are just there to show it's working...
With a nightly build of wireshark you should be able to
decrypt all kerberos and netlogon secure channel traffic.
Thanks for any help you can provide!
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: w2025p-115-authenticate-kerberos-broken-dns-domain-03.pcap.gz
Type: application/gzip
Size: 262264 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20241218/e7364495/w2025p-115-authenticate-kerberos-broken-dns-domain-03.pcap.gz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: w2025p-115-authenticate-kerberos-broken-dns-domain-03.keytab
Type: application/octet-stream
Size: 4782 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20241218/e7364495/w2025p-115-authenticate-kerberos-broken-dns-domain-03.obj>
More information about the cifs-protocol
mailing list