Hi Simo:
We have finished our investigation on your question regarding authorization
data type 142. Following text will be added in a future release of MS-KILE.
2.2.7 KERB-LOOPBACK
The KERB-LOOPBACK structure contains the pointer to the credential object for
the client and a system time.<WB1> typedef struct _KERB_LOOP_BACK {
PCREDENTIAL Credential;
ULONG64 SystemUpTime;
} KERB_LOOP_BACK, *PKERB_LOOP_BACK;
Credential: Address of the credential object.
ServiceUpTime: The number of milliseconds that have elapsed since the service
was started.
3.1.1.4 Service Up Time
KILE implements a counter of the number of milliseconds that have elapsed since
the service was started. <WB2>
Following text will be added to the end of section 3.2.5.5 AP Exchange:
When server name is not Krbtgt, the client SHOULD send KERB_LOOPBACK (142),
containing an authorization data field ([RFC4120] section 5.2.6) of type
KERB-LOOPBACK structure (Section 2.2.7) <WB1>.
Following text will be added at the end of section 3.4.5 Message Processing
Events and Sequencing Rules:
If the credential at KERB-LOOPBACK.Credential address on the server is the same
credential as in the service ticket, the server SHOULD process the
authentication as a local ISC call instead of as an AP-REQ message. <WB1>.
The following notes will be added to section 6 Appendix A: Product Behavior
<WB1> Windows 7 and Windows Server 2008 R2 support transmitting KERB-LOOPBACK.
<WB2> In Windows 7, and Windows Server 2008 R2, the number of milliseconds that
have elapsed since the system was started is sent on the wire. This time is not
used by KILE.
Please let me know if it answers your question. If it does, I'll consider this
issue resolved.
Regards,
Obaid Farooqi
Sr. Support Escalation Engineer | Microsoft
-----Original Message-----
From: simo [mailto:[email protected]]
Sent: Friday, March 12, 2010 5:53 PM
To: Interoperability Documentation Help
Cc: [email protected]; [email protected]
Subject: CAR: MS-KILE and ad-type 142 ?
Dear Dochelp,
while researching forest trust relationships between a Windows 2008 R2 Domain
Controller and a Samba 4 Domain Controller I found out that the Windows domain
controller creates Kerberos packets containing an unknown auth data type 142
MS-KILE references types 141 and 143 in section "3.2.5.5 AP Exchange", but I
could fine no mention of 142.
Can you please document it ?
Thanks,
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer <[email protected]> Principal Software Engineer
at Red Hat, Inc. <[email protected]>
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
