[cifs-protocol] ServerAuthenticateKerberos() not usable for

Stefan Metzmacher metze at samba.org
Wed Dec 18 14:59:43 UTC 2024


Hi DocHelp,

while implementing ServerAuthenticateKerberos() in Samba, I found
a strange behavior when using it for TrustedDnsDomainSecureChannel.

When I'm using it as a client the following LogonGetCapabilities()
gets ACCESS_DENIED.

For all other network visible NETLOGON_SECURE_CHANNEL_TYPE values:
WorkstationSecureChannel, ServerSecureChannel, CdcServerSecureChannel
and even TrustedDomainSecureChannel (used for downlevel NT4 trusts)
it works as expected.

I'm testing with a Windows 2025 preview build, but I guess there
are no related changes compared to the final version...

I also noticed that the Windows DC doesn't try to use ServerAuthenticateKerberos()
when connecting to a DC of a trusted domain.

Is this behavior intended?
Is there a flag on the TDO object to allow it to work?

I've attached a network capture that shows the problem.

The problem happens in frames 1528-1531.
All others are just there to show it's working...

With a nightly build of wireshark you should be able to
decrypt all kerberos and netlogon secure channel traffic.

Thanks for any help you can provide!
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: w2025p-115-authenticate-kerberos-broken-dns-domain-03.pcap.gz
Type: application/gzip
Size: 262264 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20241218/e7364495/w2025p-115-authenticate-kerberos-broken-dns-domain-03.pcap.gz>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: w2025p-115-authenticate-kerberos-broken-dns-domain-03.keytab
Type: application/octet-stream
Size: 4782 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20241218/e7364495/w2025p-115-authenticate-kerberos-broken-dns-domain-03.obj>


More information about the cifs-protocol mailing list