Andrew Bartlett schrieb: > The documentation in MS-KILE 3.4.5.1 on DCE_STYLE is very terse, and > fails to clarify a few points, one of which is preventing > interoperability with Windows Vista. > > The client MUST generate an additional AP reply message exactly as the > server would ([RFC4120] > section 3.2.4) as the final message to send to the server. In GSS terms, > the client must return > success and a message to the server. It is up to the application to deliver > the message to the > server. > > The server MUST receive the additional AP reply message and verify that the > message is > constructed correctly ([RFC4120] section 3.2.5). > > What is unclear here is how the sequence numbers, exchanged in this > message, are expected to be updated. For example, with a WinXP clients, > and arcfour-hmac-md5 encryption, the sequence number (as maintained by > the client, and seen on the server) is unaffected by the receipt of this > extra message. > > In Heimdal's implementation here, we reset the sequence numbers after > verifying the AP_REP at line 690. > > http://git.samba.org/?p=samba.git;a=blob;f=source/heimdal/lib/gssapi/krb5/accept_sec_context.c;h=73b93ceba4c6bb472c546afd52981bcf13051173;hb=v4-0-test > > However, when GSSAPI CFX is used, and therefore an AES key is negotiated > by a Windows Vista client to a Samba4 server, the client seems to > require that the remote (from the server's persective) sequence number > be increased by 1. > > (ie, adding 1 to r_seq_number at like 690 allows the next gss_unwrap to > match the expected sequence number correctly, in the DRSUAPI bind > portion of a Vista SP1 domain join).
I found why the seq number needs is +1, it's because there's a GetMIC token in the AlterContext request from the client, in the same SPNEGO blob as the AP-REP from the client. And our server seems to miss the call to gss_verify_mic(), which would increase the seqnum. metze
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cifs-protocol mailing list cifs-protocol@cifs.org https://lists.samba.org/mailman/listinfo/cifs-protocol