[cifs-protocol] [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2501080040012093

Kristian Smith Kristian.Smith at microsoft.com
Fri Jan 17 15:56:59 UTC 2025


Hi Metze,

I just wanted to let you know that I'm still working to get a confirmation from the engineering team whether this is expected behavior. I'll update you as soon as I have information to share.

Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: kristian.smith at microsoft.com

-----Original Message-----
From: Kristian Smith 
Sent: Wednesday, January 8, 2025 6:28 PM
To: Stefan Metzmacher <metze at samba.org>
Cc: cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: RE: [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2501080040012093

Hi Metze,

I'm going to reach out to the engineering team to try to get a better understanding of the client behavior in trust environments. I'll let you know what I learn.

Regards,
Kristian Smith
Support Escalation Engineer | Microsoft® Corporation
Email: kristian.smith at microsoft.com

-----Original Message-----
From: Stefan Metzmacher <metze at samba.org> 
Sent: Wednesday, January 8, 2025 3:22 AM
To: Kristian Smith <Kristian.Smith at microsoft.com>
Cc: cifs-protocol at lists.samba.org; Microsoft Support <supportmail at microsoft.com>
Subject: Re: [EXTERNAL] ServerAuthenticateKerberos() not usable for - TrackingID#2412180040010640

Hi Kristian,

> The lastest code changes in this area were released in the first servicing/security update for the mainstream version of Server 2025, so you'd need the first update.

Ok, thanks!

> That said, I can't guarantee this update fixed the issue you were seeing without traces at the time of the error.
> This is my best guess with the network trace you provided and my own code research.

I re-run the tests and it all works now also for trusts.

> As far as client-side fixes, if you're referring to this code change, it does not look like the client was modified.
> If you have any further questions, please let me know.

I'm just wondering why a Windows 2025 DC does not try ServerAuthenticateKerberos at all against trusted domains.

I was just wondering why the server problem was detected and fixed when there's no software out in the wild triggering that code path.
So I guessed that the client code in Windows has also changed.

Can you find out why Windows doesn't even try it for trusted domains?
Maybe there's a flag on the trustedDomain object to activate it?
It would be good to know.

Thanks!
metze


More information about the cifs-protocol mailing list