On Fri, 2008-09-05 at 22:25 +0200, Stefan (metze) Metzmacher wrote: > Hongwei Sun schrieb: > > Metze/Andrew, > > > > The subkey in the EncAPRepPart of the AP-REP should be used as the > > session key when the mutual authentication is enabled(as described in RFC > > 4121). When DES and RC4 are used in Kerberos, the implementation is > > based on RFC1964 (instead of RFC4121). According to RFC1964, you can pick > > the subkey in AP_REQ as the session key as it is the same as the subkey in > > AP_REP, but this is not true when AES is used because both subkeys are > > different (again AES means RFC4121 being used, not RFC1964). This > > explains what you observed. We will add the information to [MS-KILE] to > > describe how the session key is selected. > > > > The session key returned from Kerberos package can be used for SMB > > signing as described in the section 4.3 of [MS-SMB]. You have to truncate > > the keys to 128 bits in your code because SMB does the truncation on the > > windows side. > > > > I ran the similar testing as you did. I had one Vista machine connected > > to Windows 2008 DC/KDC and configured AES256-CTS-HMAC-SHA1-96 as Kerberos > > encryption type with mutual authentication enabled. I cannot duplicate > > your SMB signing problem(see the network capture attached). It is working > > between Windows servers and clients. > > I got it working, the session key isn't truncated for the SMB signing. > > The problem was that we reseted the sequence number when updating the > session key from the initiator subkey to the acceptor subkey between the > session setup request and response. > > Also windows signs the response with the acceptor subkey, so that the > client needs to check the signature after processing the response.
I think I hit the same issue Samba/Samba last night (after I enabled mandatory smb signing in our server). Is your fix for this up somewhere? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
