Patch: spnego auth packet parsing

Steven Danneman steven.danneman at
Tue Sep 18 18:56:29 GMT 2007



We ran across a bug joining our Samba server to a Win2K domain with LDAP
signing turned on.  Upon investigation I discovered that there is a bug
in Win2K server which returns a duplicated responseToken in the LDAP
bindResponse packet.  This blob is placed in the optional mechListMIC
field which is unsupported in both Win2K and Win2K3.  You can see RFC
2478 for the proper packet construction.  I've worked with metze on this
to confirm all these finding.


This patch properly parses then discards the mechListMIC field if it
exists in the packet, so we don't produce a malformed packet error,
causing LDAP signed joins to fail.  Also attached is a sniff of the
domain join, exposing Win2Ks bad behavior (packet 21).


Steven Danneman |  Software Developer

Isilon Systems    P +1-206-315-7500    F  +1-206-315-7485    


How breakthroughs begin.(tm)



-------------- next part --------------
A non-text attachment was scrubbed...
Name: spnego-auth-parse-c.diff
Type: application/octet-stream
Size: 1541 bytes
Desc: spnego-auth-parse-c.diff
Url :
-------------- next part --------------
A non-text attachment was scrubbed...
Name: w2k-native-ldap-sign.pcap
Type: application/octet-stream
Size: 8937 bytes
Desc: w2k-native-ldap-sign.pcap
Url :

More information about the samba-technical mailing list