Luke Kenneth Casson Leighton lkcl at samba.org
Wed Nov 17 17:50:52 GMT 1999


the netmon trace you sent me contains a NetrServerAuthenticate2() with a
neg_flags of 0x6007BFFFF.  the most number of bits _ever_ seen before is
0x400001FF, from SP4.  SP3 sends 0x000001ff.  NT 3.51 sends 0x000000ff.

therefore, my guess is that microsoft has added extra negotiation for
additional encryption methods.  these are going to be things like 3des;
sha; cbc; and the method described in draft-brezak-win2k-krb-hmac-01.txt;
blah blah which is a little bit unfortunate, as we currently implement
none of these.

i therefore need to implement neg_flags "0x40000000" at the _very_ least
(method described in draft-brezak-win2k-krb-hmac-01.txt) which is
supported by SP4+.

i suspect that microsoft has set the default settings for NETLOGON secure
channel to "required" in NT5, for higher security.  [hooray!  well done
microsoft!  particularly as the workstation trust account password is set
to a totally-random value!]


<a href="mailto:lkcl at samba.org"   > Luke Kenneth Casson Leighton    </a>
<a href="http://www.cb1.com/~lkcl"> Samba and Network Development   </a>
<a href="http://samba.org"        > Samba Web site                  </a>
<a href="http://www.iss.net"      > Internet Security Systems, Inc. </a>

More information about the samba-ntdom mailing list