MS-RPC authentication from Cisco ISE against Samba4 does not work

[Stefan Metzmacher]

Hi Stephan,

> we plan to use Samba4 (samba-4.3.7) as well as Cisco Identity Service Engine (ISE-1.4) for authentication purpuses in our WLAN environment with PEAP and MS-ChapV2. In this scenario the ISE asks the Samba4 for verifying the user credentials via MS-RPC. 
> 
>  
> Joning the ISE into Samba4 works well as well as Kerberos-authentication. Unfortunately MS-RPC-authentication (which is required for MS-ChapV2) does not work. The reason is that Cisco uses the MS-RPC protocol feature called “Security Context Multiplexing” (https://msdn.microsoft.com/en-us/library/cc243716.aspx). Altough the ISE should proof whether Samba4 can handle that feature or not the ISE assumes that all Active Directory implementations can handle those requests and uses them. Unfortunately Samba4 cannot deal with that… 
> 

Can you file a bug at https://bugzilla.samba.org and add as much details
as possible,
including network captures and level 10 logs from Samba.

> Is there a way to implement that “Security Context Multiplexing”? tcpdumps and samba4 debug logs are availabe on request.

Typically clients should not use this feature unless the server
announces its support.

It's on my long term todo list for the new DCERPC infrastructure.
See https://wiki.samba.org/index.php/DCERPC

But it's unknown when it will be implemented, I fear it's unlikely be
ready for Samba 4.5
(planed for September 2016). Maybe 4.6 (in March 2017) or 4.7 (September
2017).

If you have an urgent need for this feature, you may want to consider
contacting any of https://www.samba.org/samba/support/globalsupport.html

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160503/d5d12feb/signature.sig>