Andrew Bartlett schrieb: > On Fri, 2008-09-05 at 22:25 +0200, Stefan (metze) Metzmacher wrote: >> Hongwei Sun schrieb: >>> Metze/Andrew, >>> >>> The subkey in the EncAPRepPart of the AP-REP should be used as the >>> session key when the mutual authentication is enabled(as described in RFC >>> 4121). When DES and RC4 are used in Kerberos, the implementation is >>> based on RFC1964 (instead of RFC4121). According to RFC1964, you can pick >>> the subkey in AP_REQ as the session key as it is the same as the subkey in >>> AP_REP, but this is not true when AES is used because both subkeys are >>> different (again AES means RFC4121 being used, not RFC1964). This >>> explains what you observed. We will add the information to [MS-KILE] to >>> describe how the session key is selected. >>> >>> The session key returned from Kerberos package can be used for SMB >>> signing as described in the section 4.3 of [MS-SMB]. You have to truncate >>> the keys to 128 bits in your code because SMB does the truncation on the >>> windows side. >>> >>> I ran the similar testing as you did. I had one Vista machine connected >>> to Windows 2008 DC/KDC and configured AES256-CTS-HMAC-SHA1-96 as Kerberos >>> encryption type with mutual authentication enabled. I cannot duplicate >>> your SMB signing problem(see the network capture attached). It is working >>> between Windows servers and clients. >> I got it working, the session key isn't truncated for the SMB signing. >> >> The problem was that we reseted the sequence number when updating the >> session key from the initiator subkey to the acceptor subkey between the >> session setup request and response. >> >> Also windows signs the response with the acceptor subkey, so that the >> client needs to check the signature after processing the response. > > I think I hit the same issue Samba/Samba last night (after I enabled > mandatory smb signing in our server). Is your fix for this up > somewhere?
http://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=v4-0-aes http://gitweb.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=b53e6387e30010509034835acf88b91b380ff44a metze
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
