'Re: [cifs-protocol] [120012821001754][MS-SFU]Clarification request on cross-realm RBCD in MS-SFU 3.2'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cifs-protocol
Subject:    Re: [cifs-protocol] [120012821001754][MS-SFU]Clarification request on cross-realm RBCD in MS-SFU 3.2
From:       Sreekanth Nadendla via cifs-protocol <cifs-protocol () lists ! samba ! org>
Date:       2020-01-28 21:06:58
Message-ID: BN8PR21MB12185989EBFA94A6A7CE4215C50A0 () BN8PR21MB1218 ! namprd21 ! prod ! outlook ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]

Hello Isaac, I'm researching this issue for you. I will provide you with an update as \
soon as I have some details to share with you.

Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

From: Hung-Chun Yu <HungChun.Yu@microsoft.com>
Sent: Tuesday, January 28, 2020 11:22 AM
To: Isaac Boukris <iboukris@gmail.com>
Cc: support <support@mail.support.microsoft.com>; Greg Hudson <ghudson@mit.edu>; \
                cifs-protocol@lists.samba.org
Subject: [120012821001754][MS-SFU]Clarification request on cross-realm RBCD in MS-SFU \
3.2.5.2.2

+support [cc]
-dochelp [bcc]

Hi Isaac

Thank you for your question.  We created SR 120012821001754 and please leave this \
info in the subject line to track your issue.  An engineer will contact you soon. 
Hung-Chun Yu
Microsoft Protocols Support

________________________________
From: Isaac Boukris <iboukris@gmail.com<mailto:iboukris@gmail.com>>
Sent: Tuesday, January 28, 2020 5:30 AM
To: Interoperability Documentation Help \
<dochelp@microsoft.com<mailto:dochelp@microsoft.com>>; Greg Hudson \
<ghudson@mit.edu<mailto:ghudson@mit.edu>>; \
cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org> \
                <cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>>
Subject: [EXTERNAL] Re: Clarification request on cross-realm RBCD in MS-SFU 3.2.5.2.2

Hi again,

On Sun, Jan 26, 2020 at 1:57 PM Isaac Boukris \
<iboukris@gmail.com<mailto:iboukris@gmail.com>> wrote:
> 
> When a KDC replies with Service Ticket (MS-SFU 3.2.5.2.2), how does it
> determine the reply cname and crealm.
> 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com \
> %2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-sfu%2Fce6bbf34-0f11-40d6-93d1-165a3afa \
> 0223&amp;data=02%7C01%7CHungChun.Yu%40microsoft.com%7C3a83b03cfab04f57ca3a08d7a3f680 \
> de%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637158151428246386&amp;sdata=MjRHU0U \
> vvE9zuzJqoQGt%2FeQECFo8xwNs9KU9DvuYNuQ%3D&amp;reserved=0<https://nam06.safelinks.pro \
> tection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwind \
> ows_protocols%2Fms-sfu%2Fce6bbf34-0f11-40d6-93d1-165a3afa0223&data=02%7C01%7Csrenade \
> n%40microsoft.com%7C85935b52f45841af7f0608d7a4278fd0%7C72f988bf86f141af91ab2d7cd011d \
> b47%7C1%7C0%7C637158362130403984&sdata=nKrdFdaAXXCP8x4zrZth4PVd8YQ6nJ8%2BalPZXd2pw6U%3D&reserved=0>
>  
> Per the above doc, it sounds like it should be the cname and crealm
> from the additional-ticket, however in RBCD, when the
> additional-ticket is a cross-tgt the cname and cream are of service-1
> and not of the impersonated client.
> 
> In contrast, I've observed that Windows KDC constructs the
> impersonated client's principal name from the PAC, and set the reply
> cname and crealm to that principal's. However, I can't find any clear
> document that reflects it.

I've sent this over the weekend, and perhaps got lost.

In short, I think MS-SFU 3.2.5.2.2 section was not updated for
cross-realm RBCD, as other parts of the document. Please review and
assign :)

[Attachment #3 (text/html)]

<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
span.EmailStyle20
	{mso-style-type:personal-reply;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hello Isaac, I'm researching this issue for you. I will provide \
you with an update as soon as I have some details to share with you.<o:p></o:p></p> \
<p class="MsoNormal"><o:p>&nbsp;</o:p></p> <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal">Sreekanth Nadendla<o:p></o:p></p>
<p class="MsoNormal">Microsoft Windows Open Specifications<o:p></o:p></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Hung-Chun Yu &lt;HungChun.Yu@microsoft.com&gt; <br>
<b>Sent:</b> Tuesday, January 28, 2020 11:22 AM<br>
<b>To:</b> Isaac Boukris &lt;iboukris@gmail.com&gt;<br>
<b>Cc:</b> support &lt;support@mail.support.microsoft.com&gt;; Greg Hudson \
&lt;ghudson@mit.edu&gt;; cifs-protocol@lists.samba.org<br> <b>Subject:</b> \
[120012821001754][MS-SFU]Clarification request on cross-realm RBCD in MS-SFU \
3.2.5.2.2<o:p></o:p></p> </div>
</div>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">&#43;support \
[cc]<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">-dochelp \
[bcc]<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;color:black"><o:p>&nbsp;</o:p></span></p> </div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Hi \
Isaac<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;color:black"><o:p>&nbsp;</o:p></span></p> </div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Thank you for your \
question. &nbsp;We created SR <span style="background:white">120012821001754</span> \
and please leave this info in the subject line to track your issue. &nbsp;An engineer \
will contact you soon.<o:p></o:p></span></p> <div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;color:black"><o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Hung-Chun \
Yu<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;color:black">Microsoft Protocols \
Support<o:p></o:p></span></p> </div>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:12.0pt;color:black"><o:p>&nbsp;</o:p></span></p> </div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="color:black">From:</span></b><span \
style="color:black"> Isaac Boukris &lt;<a \
href="mailto:iboukris@gmail.com">iboukris@gmail.com</a>&gt;<br> <b>Sent:</b> Tuesday, \
January 28, 2020 5:30 AM<br> <b>To:</b> Interoperability Documentation Help &lt;<a \
href="mailto:dochelp@microsoft.com">dochelp@microsoft.com</a>&gt;; Greg Hudson &lt;<a \
href="mailto:ghudson@mit.edu">ghudson@mit.edu</a>&gt;; <a \
href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a> &lt;<a \
href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>&gt;<br> \
<b>Subject:</b> [EXTERNAL] Re: Clarification request on cross-realm RBCD in MS-SFU \
3.2.5.2.2</span> <o:p></o:p></p>
<div>
<p class="MsoNormal">&nbsp;<o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Hi again,<br>
<br>
On Sun, Jan 26, 2020 at 1:57 PM Isaac Boukris &lt;<a \
href="mailto:iboukris@gmail.com">iboukris@gmail.com</a>&gt; wrote:<br> &gt;<br>
&gt; When a KDC replies with Service Ticket (MS-SFU 3.2.5.2.2), how does it<br>
&gt; determine the reply cname and crealm.<br>
&gt;<br>
&gt; <a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.m \
icrosoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-sfu%2Fce6bbf34-0f11-40d6-93d \
1-165a3afa0223&amp;data=02%7C01%7Csrenaden%40microsoft.com%7C85935b52f45841af7f0608d7a \
4278fd0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637158362130403984&amp;sdata=nKrdFdaAXXCP8x4zrZth4PVd8YQ6nJ8%2BalPZXd2pw6U%3D&amp;reserved=0">
 https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com% \
2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-sfu%2Fce6bbf34-0f11-40d6-93d1-165a3afa022 \
3&amp;amp;data=02%7C01%7CHungChun.Yu%40microsoft.com%7C3a83b03cfab04f57ca3a08d7a3f680d \
e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637158151428246386&amp;amp;sdata=MjRHU0UvvE9zuzJqoQGt%2FeQECFo8xwNs9KU9DvuYNuQ%3D&amp;amp;reserved=0</a><br>
 &gt;<br>
&gt; Per the above doc, it sounds like it should be the cname and crealm<br>
&gt; from the additional-ticket, however in RBCD, when the<br>
&gt; additional-ticket is a cross-tgt the cname and cream are of service-1<br>
&gt; and not of the impersonated client.<br>
&gt;<br>
&gt; In contrast, I've observed that Windows KDC constructs the<br>
&gt; impersonated client's principal name from the PAC, and set the reply<br>
&gt; cname and crealm to that principal's. However, I can't find any clear<br>
&gt; document that reflects it.<br>
<br>
I've sent this over the weekend, and perhaps got lost.<br>
<br>
In short, I think MS-SFU 3.2.5.2.2 section was not updated for<br>
cross-realm RBCD, as other parts of the document. Please review and<br>
assign :)<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>

_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

--===============8652582441171786293==--

[prev in list] [next in list] [prev in thread] [next in thread] 