I just found that the session key used to decrypt the password attributes in the DsGetNCChanges() is not truncated. And I need to use gsskrb5_get_subkey() instead of gsskrb5_get_initiator_subkey(), when aes keys are used.
metze >> In our last conference call, we talked about your question >> regarding which of the numerous keys Kerberos produce is considered >> the 'SMB session key'. I had discussions with the product team to >> find what or how should be documented. You mentioned that you would >> like to see the document to specify which GSSAPI call returns the >> session key. They would like to have a little more background >> information, which you already talked about a little bit during our >> conversation. I just want to confirm so I can pass it accurately to >> product team. >> >> >> >> What do you mean by GSSAPI with CFX ? Do you mean the mechanism >> conforming to RFC 4121 ? > > Yes. (I should stop using that term, as it never made it into the RFC) > >> What implementation are you using for GSSAPI with CFX in Vista >> ? Is it Heimdal’s implementation ? > > Yes. > >> What is your expectation about how this detail should be included >> in the document ? Do you expect it to associate with specific GSSAPI >> calls? > > An indication of the (hopefully shared) MIT/Heimdal API would be very > useful (as these are almost certainly the basis of any new > implementations). > > However, this should be alongside a description of where in the kerberos > protocol is is found: > > 'the session key generated on ... and encrypted in message ... as > element ... from (client/server) to the (client/server) is also used as > the SMB Session key' (for example) > >> I hope that with the information we can have a resolution soon. >> Thanks for your patience. > > No worries, > > Andrew Bartlett > > > > ------------------------------------------------------------------------ > > _______________________________________________ > cifs-protocol mailing list > [email protected] > https://lists.samba.org/mailman/listinfo/cifs-protocol
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
