[cifs-protocol] [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2412180040010640

Stefan Metzmacher metze at samba.org
Wed Jan 8 11:22:26 UTC 2025


Hi Kristian,

> The lastest code changes in this area were released in the first servicing/security update for the mainstream version of Server 2025, so you'd need the first update.

Ok, thanks!

> That said, I can't guarantee this update fixed the issue you were seeing without traces at the time of the error.
> This is my best guess with the network trace you provided and my own code research.

I re-run the tests and it all works now also for trusts.

> As far as client-side fixes, if you're referring to this code change, it does not look like the client was modified.
> If you have any further questions, please let me know.

I'm just wondering why a Windows 2025 DC does not try ServerAuthenticateKerberos at all
against trusted domains.

I was just wondering why the server problem was detected and fixed
when there's no software out in the wild triggering that code path.
So I guessed that the client code in Windows has also changed.

Can you find out why Windows doesn't even try it for trusted domains?
Maybe there's a flag on the trustedDomain object to activate it?
It would be good to know.

Thanks!
metze



More information about the cifs-protocol mailing list