[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [EXTERNAL] Re: [MS-NRPC] 3.1.4.1 Session-Key Negotiation lacking details - Track
From: "Jeff McCashland \(He/him\) via cifs-protocol" <cifs-protocol () lists ! samba ! org>
Date: 2023-09-22 22:04:22
Message-ID: DS7PR21MB36931A311DBB98F7ABAAC4A8A3FFA () DS7PR21MB3693 ! namprd21 ! prod ! outlook ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hi Andrew,
Here is the response from our NRPC team:
In case of a failure at step 14/15 due to correct faut/ error code, we skip \
comparing logic mentioned in step 16 and next steps will follow same. Also, to give \
some background of this change, we wanted to ensure there is no man in middle attack \
when client sends the negotiated flags and this is ensured by the steps 14, 15, 16 \
So since this is a security fix, we should encourage Linux and others to return \
correct flags in step15 instead of errors to keep the connection secure.
I hope that helps!
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open \
Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific \
Time (US and Canada) Local country phone number found here: \
http://support.microsoft.com/globalenglish | Extension 1138300
From: Jeff McCashland (He/him)
Sent: Wednesday, September 20, 2023 1:11 PM
To: Andrew Bartlett <abartlet@samba.org>; metze <metze@samba.org>; Ralph Böhme \
(samba) <slow@samba.org>
Cc: cifs-protocol@lists.samba.org; Microsoft Support <supportmail@microsoft.com>
Subject: RE: [cifs-protocol] [EXTERNAL] Re: [MS-NRPC] 3.1.4.1 Session-Key Negotiation \
lacking details - TrackingID#2309080040007879
Hi Andrew,
I will do so, and let you know.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open \
Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific \
Time (US and Canada) Local country phone number found here: \
http://support.microsoft.com/globalenglish | Extension 1138300
From: Andrew Bartlett <abartlet@samba.org<mailto:abartlet@samba.org>>
Sent: Wednesday, September 20, 2023 11:57 AM
To: Jeff McCashland (He/him) <jeffm@microsoft.com<mailto:jeffm@microsoft.com>>; metze \
<metze@samba.org<mailto:metze@samba.org>>; Ralph Böhme (samba) \
<slow@samba.org<mailto:slow@samba.org>>
Cc: cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>; Microsoft \
Support <supportmail@microsoft.com<mailto:supportmail@microsoft.com>>
Subject: Re: [cifs-protocol] [EXTERNAL] Re: [MS-NRPC] 3.1.4.1 Session-Key Negotiation \
lacking details - TrackingID#2309080040007879
Thanks so much for your time and investigation Jeff,
Please do continue to investigate, yes, this is the correct area we need described.
We know that windows will fail if step 14 does not get the 'correct (for a server \
that does not implement level 2)' error code from <197> step 2. But if it does get \
the 'correct' fault/error code, what is the correct way to know that the negotiation \
was still fit to continue against a down-level server. That is, we are missing a \
step 16 for the client behaviour in the failure case on 14/15.
We need more than initial assumptions as this is a security behaviour we need to get \
right, while maintaining service against both patched and unpatched (Samba is not yet \
patched on the server side) servers.
Thanks,
Andrew Bartlett
On Wed, 2023-09-20 at 18:37 +0000, Jeff McCashland (He/him) via cifs-protocol wrote:
Hi Andrew,
Just to be clear, are you referring to this behavior note for section 3.5.4.4.10 \
NetrLogonGetCapabilities (Opnum 21)?:
<197> Section 3.5.4.4.10: Windows RPC layer may return its own error code \
instead of STATUS_INVALID_LEVEL. The error code that a client gets depends on where \
the calling application is getting the error from:
1. If the client is running on Windows and calling Windows RPC APIs, \
they may get the Win32 error code RPC_S_INVALID_TAG ([MS-ERREF] section 2.2).
2. If the client is running on third-party operating systems or getting \
the error code from the wire, they may get nca_s_fault_invalid_tag (0x1C000006). \
([C706-RSCP]).
3. The conversion between the on-the-wire nca_s_fault_invalid_tag and \
Win32 error code RPC_S_INVALID_TAG is specified in [MS-RPCE] section 3.1.1.5.5.
Since the original question cited section 3.1.4.1 Session-Key Negotiation, I gather \
you're asking how the Client should proceed if an error is returned from \
NetrLogonGetCapabilities in Session-Key Negotiation steps 11 and/or 14, and if the \
behavior is different based on the different possible errors returned.
3.1.4.1 Session-Key Negotiation
Session-key negotiation between a client and a server is performed over an \
unprotected RPC channel.
The following diagram illustrates the negotiation flow.
[...]
11. The client calls the NetrLogonGetCapabilities method to get \
Negotiaged flags by setting QueryLevel to 1 (section 3.4.5.2.10).
12. The server SHOULD<72> return the negotiated flags for the current \
exchange.
13. The client SHOULD<73> compare the received ServerCapabilities \
(section 3.5.4.4.10) with the negotiated NegotiateFlags (section 3.5.4.4.2), and if \
there is a difference, the session key negotiation is aborted.
14. The client calls the NetrLogonGetCapabilities method to get Requested \
flags by setting QueryLevel to 2 (section 3.4.5.2.10).
15. The server SHOULD<74> return the client capabilities received during \
a negotiation request from client.
Since returning the results is stated as SHOULD, my initial assumption is that if an \
error is returned, the client simply does not return results.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open \
Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific \
Time (US and Canada)
Local country phone number found here:
http://support.microsoft.com/globalenglish
| Extension 1138300
-----Original Message-----
From: Andrew Bartlett <
abartlet@samba.org<mailto:abartlet@samba.org>
>
Sent: Monday, September 18, 2023 3:04 PM
To: Jeff McCashland (He/him) <
jeffm@microsoft.com<mailto:jeffm@microsoft.com>
> ; metze <
metze@samba.org<mailto:metze@samba.org>
> ; Ralph Böhme <
slow@samba.org<mailto:slow@samba.org>
>
Cc:
cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>
; Microsoft Support <
supportmail@microsoft.com<mailto:supportmail@microsoft.com>
>
Subject: [EXTERNAL] Re: [cifs-protocol] [MS-NRPC] 3.1.4.1 Session-Key Negotiation \
lacking details - TrackingID#2309080040007879
So, what metze is getting as is that the details of what to do if the behaviour in \
note <197> is triggered. If the correct fault (mapped to an error code) is received \
by the client, due to noticing an older unpatched server (or Samba), what is the \
secure and correct behaviour?
Andrew Bartlett
On Mon, 2023-09-18 at 15:55 +0000, Jeff McCashland (He/him) via cifs- protocol wrote:
Hi Metze,
I haven't seen any response to my request below.
Could you give me an idea of when you may be able to provide more
information on your [MS-NRPC] concern?
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
08:00) Pacific Time (US and Canada)
Local country phone number found here:
http://suppo/
rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
7C0c04f797e40e47e482ff08dbb8931c2c%7C72f988bf86f141af91ab2d7cd011db47%
7C1%7C0%7C638306714208453677%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
a=4gRUKI2XhxFHCTSs0ELokyBuTZ700fJgxsJ2n5AJmB0%3D&reserved=0
| Extension 1138300
-----Original Message-----
From: Jeff McCashland (He/him)
Sent: Tuesday, September 12, 2023 3:49 PM
To: Stefan Metzmacher <
metze@samba.org<mailto:metze@samba.org>
; Ralph Böhme <
slow@samba.org<mailto:slow@samba.org>
Cc:
cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>
; Microsoft Support <
supportmail@microsoft.com<mailto:supportmail@microsoft.com>
Subject: RE: [MS-NRPC] 3.1.4.1 Session-Key Negotiation lacking details
- TrackingID#2309080040007879
Hi Metze,
I have reviewed [MS-NRPC] section 3.1.4.1 Session-Key negotiation, and
I don't seen any mention of downgrade at all. I admit this is a
document I'm not deeply familiar with.
Could you specify which steps you are referring to, what you mean by a
downgrade, and specifically where you feel more detail is needed?
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
08:00) Pacific Time (US and Canada) Local country phone number found
here:
http://suppo/
rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
7C0c04f797e40e47e482ff08dbb8931c2c%7C72f988bf86f141af91ab2d7cd011db47%
7C1%7C0%7C638306714208453677%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
a=4gRUKI2XhxFHCTSs0ELokyBuTZ700fJgxsJ2n5AJmB0%3D&reserved=0
| Extension 1138300
-----Original Message-----
From: Jeff McCashland (He/him)
Sent: Friday, September 8, 2023 1:46 PM
To: Stefan Metzmacher <
metze@samba.org<mailto:metze@samba.org>
; Ralph Böhme <
slow@samba.org<mailto:slow@samba.org>
Cc:
cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>
; Microsoft Support <
supportmail@microsoft.com<mailto:supportmail@microsoft.com>
Subject: [MS-NRPC] 3.1.4.1 Session-Key Negotiation lacking details -
TrackingID#2309080040007879
[support on CC, updated Subject with new SR ID]
Hi Metze,
We have created SR 2309080040007879 to track this issue. I will look
into it and get back to you.
Best regards,
Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft
Protocol Open Specifications Team
Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-
08:00) Pacific Time (US and Canada) Local country phone number found
here:
http://suppo/
rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%
7C0c04f797e40e47e482ff08dbb8931c2c%7C72f988bf86f141af91ab2d7cd011db47%
7C1%7C0%7C638306714208453677%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
a=4gRUKI2XhxFHCTSs0ELokyBuTZ700fJgxsJ2n5AJmB0%3D&reserved=0
| Extension 1138300
-----Original Message-----
From: Stefan Metzmacher <
metze@samba.org<mailto:metze@samba.org>
Sent: Thursday, September 7, 2023 11:27 PM
To: Jeff McCashland (He/him) <
jeffm@microsoft.com<mailto:jeffm@microsoft.com>
; Ralph Böhme <
slow@samba.org<mailto:slow@samba.org>
Cc:
cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>
Subject: [EXTERNAL] Re: [MS-NRPC] DCERPC_NCA_S_FAULT_INVALID_TAG
returned instead of STATUS_INVALID_LEVEL -
TrackingID#2307200040007944
Hi Jeff,
We have updated [MS-NRPC] for the next release to address this
issue. We have added the following Behavior Note to section
3.5.4.4.10:
<197> Section 3.5.4.4.10: Windows RPC layer may return its own error
code instead of STATUS_INVALID_LEVEL. The error code that a client
gets depends on where the calling application is getting the error
from:
1. If the client is running on Windows and calling Windows RPC APIs,
they may get the Win32 error code RPC_S_INVALID_TAG ([MS- ERREF]
section 2.2).
2. If the client is running on third-party operating systems or
getting the error code from the wire, they may get
nca_s_fault_invalid_tag (0x1C000006). ([C706-RSCP] DCE 1.1: Remote
Procedure Call - Reject Status Codes and Parameters).
3. The conversion between the on-the-wire nca_s_fault_invalid_tag
and Win32 error code RPC_S_INVALID_TAG is specified in [MS-RPCE]
Section 3.1.1.5.5.
I hope that helps.
Yes, thanks!
In addition I think 3.1.4.1 Session-Key Negotiation could be much more
verbose in a way that it would describe how safe downgrade is possible
and how an unsafe downgrade is detected.
metze
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>
https://list/
s.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C01%7Cjeffm%
40microsoft.com%7C0c04f797e40e47e482ff08dbb8931c2c%7C72f988bf86f141af9
1ab2d7cd011db47%7C1%7C0%7C638306714208453677%7CUnknown%7CTWFpbGZsb3d8e
yJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C30
00%7C%7C%7C&sdata=RhwUpKut09WPrb1%2FkCcelIzwPXoG0g4u8%2B8K%2BRAKbY8%3D
&reserved=0
--
Andrew Bartlett (he/him)
https://samba.org/~abartlet/
Samba Team Member (since 2001)
https://samba.org/
Samba Team Lead
https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company
Samba Development and Support:
https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org<mailto:cifs-protocol@lists.samba.org>
https://lists.samba.org/mailman/listinfo/cifs-protocol
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org<https://samba.org/>
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
code
{mso-style-priority:99;
font-family:"Courier New";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Aptos",sans-serif">Hi \
Andrew,<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:"Aptos",sans-serif"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-family:"Aptos",sans-serif">Here is the \
response from our NRPC team: <o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-family:"Aptos",sans-serif;color:black;background:white">In case \
of a failure at </span><code><span \
style="font-size:10.0pt;color:black;background:white">step 14/15</span></code><span \
style="font-family:"Arial",sans-serif;color:black;background:white"></span><span \
style="font-family:"Aptos",sans-serif;color:black;background:white"> due \
to correct faut/ error code, we skip comparing logic mentioned in step 16 and \
next steps will follow same.</span><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-family:"Aptos",sans-serif;color:black;background:white">Also, \
to give some background of this change, we wanted to ensure there is no man in middle \
attack when client sends the negotiated flags and this is ensured by the \
</span><code><span style="font-size:10.0pt;color:black;background:white">steps 14, \
15, 16</span></code><span \
style="font-family:"Arial",sans-serif;color:black;background:white"></span><span \
style="font-size:12.0pt;font-family:"Aptos",sans-serif;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-family:"Aptos",sans-serif;color:black;background:white">So \
since this is a security fix, we should encourage Linux and others to return correct \
flags in </span><code><span \
style="font-size:10.0pt;color:black;background:white">step15</span></code><span \
style="font-family:"Arial",sans-serif;color:black;background:white"></span><span \
style="font-family:"Aptos",sans-serif;color:black;background:white"> \
instead of errors to keep the connection secure.<br>
<br>
</span><span style="font-family:"Aptos",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Aptos",sans-serif">I hope \
that helps!<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-family:"Aptos",sans-serif"><o:p> </o:p></span></p> <div>
<p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Best \
regards,</span><b><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy"><br> \
<i>Jeff M</i></span></b><b><i><sup><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002060">c</span></sup></i></b><b><i><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Cashland \
(He/him) </span></i></b><b><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">| \
Senior Escalation Engineer<i> | Microsoft</i></span></b><b><span \
style="font-family:"Arial",sans-serif;color:navy"> </span></b><b><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Protocol \
Open Specifications Team</span></b><span \
style="font-family:"Aptos",sans-serif"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue">Phone: +1 \
(425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and \
Canada)</span><span style="font-family:"Aptos",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">Local \
country phone number found here: </span><span \
style="font-family:"Aptos",sans-serif;color:#2F5496"><a \
href="http://support.microsoft.com/globalenglish"><span \
style="font-size:8.0pt;font-family:"Arial",sans-serif">http://support.microsoft.com/globalenglish</span></a></span><span \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue"> | \
Extension 1138300</span><span \
style="font-family:"Aptos",sans-serif"><o:p></o:p></span></p> </div>
<p class="MsoNormal"><span \
style="font-family:"Aptos",sans-serif"><o:p> </o:p></span></p> <div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Jeff McCashland (He/him) <br>
<b>Sent:</b> Wednesday, September 20, 2023 1:11 PM<br>
<b>To:</b> Andrew Bartlett <abartlet@samba.org>; metze <metze@samba.org>; \
Ralph Böhme (samba) <slow@samba.org><br> <b>Cc:</b> \
cifs-protocol@lists.samba.org; Microsoft Support \
<supportmail@microsoft.com><br> <b>Subject:</b> RE: [cifs-protocol] [EXTERNAL] \
Re: [MS-NRPC] 3.1.4.1 Session-Key Negotiation lacking details - \
TrackingID#2309080040007879<o:p></o:p></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Aptos",sans-serif">Hi \
Andrew, <o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-family:"Aptos",sans-serif"><o:p> </o:p></span></p> <p \
class="MsoNormal"><span style="font-family:"Aptos",sans-serif">I will do \
so, and let you know. <o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-family:"Aptos",sans-serif"><o:p> </o:p></span></p> <div>
<p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:blue">Best \
regards,</span><b><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy"><br> \
<i>Jeff M</i></span></b><b><i><sup><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#002060">c</span></sup></i></b><b><i><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Cashland \
(He/him) </span></i></b><b><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">| \
Senior Escalation Engineer<i> | Microsoft</i></span></b><b><span \
style="font-family:"Arial",sans-serif;color:navy"> </span></b><b><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:navy">Protocol \
Open Specifications Team</span></b><span \
style="font-family:"Aptos",sans-serif"><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue">Phone: +1 \
(425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and \
Canada)</span><span style="font-family:"Aptos",sans-serif"><o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue">Local \
country phone number found here: </span><span \
style="font-family:"Aptos",sans-serif;color:#2F5496"><a \
href="http://support.microsoft.com/globalenglish"><span \
style="font-size:8.0pt;font-family:"Arial",sans-serif">http://support.microsoft.com/globalenglish</span></a></span><span \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:blue"> | \
Extension 1138300</span><span \
style="font-family:"Aptos",sans-serif"><o:p></o:p></span></p> </div>
<p class="MsoNormal"><span \
style="font-family:"Aptos",sans-serif"><o:p> </o:p></span></p> <div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Andrew Bartlett <<a \
href="mailto:abartlet@samba.org">abartlet@samba.org</a>> <br>
<b>Sent:</b> Wednesday, September 20, 2023 11:57 AM<br>
<b>To:</b> Jeff McCashland (He/him) <<a \
href="mailto:jeffm@microsoft.com">jeffm@microsoft.com</a>>; metze <<a \
href="mailto:metze@samba.org">metze@samba.org</a>>; Ralph Böhme (samba) <<a \
href="mailto:slow@samba.org">slow@samba.org</a>><br> <b>Cc:</b> <a \
href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a>; \
Microsoft Support <<a \
href="mailto:supportmail@microsoft.com">supportmail@microsoft.com</a>><br> \
<b>Subject:</b> Re: [cifs-protocol] [EXTERNAL] Re: [MS-NRPC] 3.1.4.1 Session-Key \
Negotiation lacking details - TrackingID#2309080040007879<o:p></o:p></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Thanks so much for your time and investigation \
Jeff,<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Please do continue to investigate, yes, this is the correct area \
we need described.<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">We know that windows will fail if step 14 does not get the \
'correct (for a server that does not implement level 2)' error code from <197> \
step 2. But if it does get the 'correct' fault/error code, what is the correct \
way to know that the negotiation was still fit to continue against a down-level \
server. That is, we are missing a step 16 for the client behaviour in the \
failure case on 14/15. <o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">We need more than initial assumptions as this is a security \
behaviour we need to get right, while maintaining service against both patched and \
unpatched (Samba is not yet patched on the server side) servers.<o:p></o:p></p> \
</div> <div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Andrew Bartlett<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">On Wed, 2023-09-20 at 18:37 +0000, Jeff McCashland (He/him) via \
cifs-protocol wrote:<o:p></o:p></p> </div>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> \
<pre>Hi Andrew,<o:p></o:p></pre> <pre><o:p> </o:p></pre>
<pre>Just to be clear, are you referring to this behavior note for section 3.5.4.4.10 \
NetrLogonGetCapabilities (Opnum 21)?:<o:p></o:p></pre> <pre><o:p> </o:p></pre>
<pre> <197> Section 3.5.4.4.10: \
Windows RPC layer may return its own error code instead of STATUS_INVALID_LEVEL. The \
error code that a client gets depends on where the calling application is getting the \
error from:<o:p></o:p></pre> <pre> \
1. If the client is running on Windows and calling \
Windows RPC APIs, they may get the Win32 error code RPC_S_INVALID_TAG ([MS-ERREF] \
section 2.2).<o:p></o:p></pre> <pre> \
2. If the client is running on third-party operating \
systems or getting the error code from the wire, they may get nca_s_fault_invalid_tag \
(0x1C000006). ([C706-RSCP]).<o:p></o:p></pre> \
<pre> 3. The \
conversion between the on-the-wire nca_s_fault_invalid_tag and Win32 error code \
RPC_S_INVALID_TAG is specified in [MS-RPCE] section 3.1.1.5.5.<o:p></o:p></pre> \
<pre><o:p> </o:p></pre> <pre>Since the original question cited section 3.1.4.1 \
Session-Key Negotiation, I gather you're asking how the Client should proceed if an \
error is returned from NetrLogonGetCapabilities in Session-Key Negotiation steps 11 \
and/or 14, and if the behavior is different based on the different possible errors \
returned.<o:p></o:p></pre> <pre><o:p> </o:p></pre>
<pre> 3.1.4.1 Session-Key \
Negotiation<o:p></o:p></pre> <pre> \
Session-key negotiation between a client and a server is performed over an \
unprotected RPC channel.<o:p></o:p></pre> \
<pre> The following diagram illustrates the \
negotiation flow.<o:p></o:p></pre> <pre>[...]<o:p></o:p></pre>
<pre> 11. The \
client calls the NetrLogonGetCapabilities method to get Negotiaged flags by setting \
QueryLevel to 1 (section 3.4.5.2.10).<o:p></o:p></pre> \
<pre> 12. The \
server SHOULD<72> return the negotiated flags for the current \
exchange.<o:p></o:p></pre> <pre> \
13. The client SHOULD<73> compare the received \
ServerCapabilities (section 3.5.4.4.10) with the negotiated NegotiateFlags (section \
3.5.4.4.2), and if there is a difference, the session key negotiation is \
aborted.<o:p></o:p></pre> <pre> \
14. The client calls the NetrLogonGetCapabilities method to \
get Requested flags by setting QueryLevel to 2 (section 3.4.5.2.10).<o:p></o:p></pre> \
<pre> 15. The \
server SHOULD<74> return the client capabilities received during a negotiation \
request from client.<o:p></o:p></pre> <pre><o:p> </o:p></pre>
<pre>Since returning the results is stated as SHOULD, my initial assumption is that \
if an error is returned, the client simply does not return results.<o:p></o:p></pre> \
<pre><o:p> </o:p></pre> <pre>Best regards,<o:p></o:p></pre>
<pre>Jeff McCashland (He/him) | Senior Escalation Engineer | Microsoft Protocol Open \
Specifications Team<o:p></o:p></pre> <pre>Phone: +1 (425) 703-8300 x38300 | Hours: \
9am-5pm | Time zone: (UTC-08:00) Pacific Time (US and Canada)<o:p></o:p></pre> \
<pre>Local country phone number found here: <o:p></o:p></pre> <pre><u><span \
style="color:blue"><a \
href="http://support.microsoft.com/globalenglish">http://support.microsoft.com/globalenglish</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre> | Extension 1138300<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-----Original Message-----<o:p></o:p></pre>
<pre>From: Andrew Bartlett <<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:abartlet@samba.org">abartlet@samba.org</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre>><o:p> </o:p></pre>
<pre>Sent: Monday, September 18, 2023 3:04 PM<o:p></o:p></pre>
<pre>To: Jeff McCashland (He/him) <<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:jeffm@microsoft.com">jeffm@microsoft.com</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre>>; metze <<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:metze@samba.org">metze@samba.org</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre>>; Ralph Böhme <<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:slow@samba.org">slow@samba.org</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre>><o:p> </o:p></pre>
<pre>Cc: <o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre>; Microsoft Support <<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:supportmail@microsoft.com">supportmail@microsoft.com</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre>><o:p> </o:p></pre>
<pre>Subject: [EXTERNAL] Re: [cifs-protocol] [MS-NRPC] 3.1.4.1 Session-Key \
Negotiation lacking details - TrackingID#2309080040007879<o:p></o:p></pre> \
<pre><o:p> </o:p></pre> <pre>So, what metze is getting as is that the details of \
what to do if the behaviour in note <197> is triggered. If the correct \
fault (mapped to an error code) is received by the client, due to noticing an older \
unpatched server (or Samba), what is the secure and correct \
behaviour?<o:p></o:p></pre> <pre><o:p> </o:p></pre>
<pre>Andrew Bartlett<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>On Mon, 2023-09-18 at 15:55 +0000, Jeff McCashland (He/him) via cifs- protocol \
wrote:<o:p></o:p></pre> <blockquote style="border:none;border-left:solid #729FCF \
1.5pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> \
<pre>Hi Metze,<o:p></o:p></pre> <pre><o:p> </o:p></pre>
<pre>I haven't seen any response to my request below.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Could you give me an idea of when you may be able to provide \
more<o:p></o:p></pre> <pre>information on your [MS-NRPC] concern?<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Best regards,<o:p></o:p></pre>
<pre>Jeff McCashland (He/him) | Senior Escalation Engineer | \
Microsoft<o:p></o:p></pre> <pre>Protocol Open Specifications Team<o:p></o:p></pre>
<pre>Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: \
(UTC-<o:p></o:p></pre> <pre>08:00) Pacific Time (US and Canada)<o:p></o:p></pre>
<pre>Local country phone number found here:<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="http://suppo/">http://suppo/</a></span></u><span class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<pre>rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%<o:p></o:p></pre>
<pre>7C0c04f797e40e47e482ff08dbb8931c2c%7C72f988bf86f141af91ab2d7cd011db47%<o:p></o:p></pre>
<pre>7C1%7C0%7C638306714208453677%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM<o:p></o:p></pre>
<pre>DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat<o:p></o:p></pre>
<pre>a=4gRUKI2XhxFHCTSs0ELokyBuTZ700fJgxsJ2n5AJmB0%3D&reserved=0<o:p></o:p></pre>
<pre> | Extension 1138300<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-----Original Message-----<o:p></o:p></pre>
<pre>From: Jeff McCashland (He/him)<o:p></o:p></pre>
<pre>Sent: Tuesday, September 12, 2023 3:49 PM<o:p></o:p></pre>
<pre>To: Stefan Metzmacher <<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:metze@samba.org">metze@samba.org</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> \
<pre>; Ralph Böhme <<o:p></o:p></pre> </blockquote>
<pre><u><span style="color:blue"><a \
href="mailto:slow@samba.org">slow@samba.org</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> \
<pre><o:p> </o:p></pre> </blockquote>
<pre>Cc:<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<pre>; Microsoft Support <<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:supportmail@microsoft.com">supportmail@microsoft.com</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> \
<pre><o:p> </o:p></pre> </blockquote>
<pre>Subject: RE: [MS-NRPC] 3.1.4.1 Session-Key Negotiation lacking \
details<o:p></o:p></pre> <pre>- TrackingID#2309080040007879<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Hi Metze,<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>I have reviewed [MS-NRPC] section 3.1.4.1 Session-Key negotiation, \
and<o:p></o:p></pre> <pre>I don't seen any mention of downgrade at all. I admit this \
is a<o:p></o:p></pre> <pre>document I'm not deeply familiar with.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Could you specify which steps you are referring to, what you mean by \
a<o:p></o:p></pre> <pre>downgrade, and specifically where you feel more detail is \
needed?<o:p></o:p></pre> <pre><o:p> </o:p></pre>
<pre>Best regards,<o:p></o:p></pre>
<pre>Jeff McCashland (He/him) | Senior Escalation Engineer | \
Microsoft<o:p></o:p></pre> <pre>Protocol Open Specifications Team<o:p></o:p></pre>
<pre>Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: \
(UTC-<o:p></o:p></pre> <pre>08:00) Pacific Time (US and Canada) Local country phone \
number found<o:p></o:p></pre> <pre>here:<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="http://suppo/">http://suppo/</a></span></u><span class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<pre>rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%<o:p></o:p></pre>
<pre>7C0c04f797e40e47e482ff08dbb8931c2c%7C72f988bf86f141af91ab2d7cd011db47%<o:p></o:p></pre>
<pre>7C1%7C0%7C638306714208453677%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM<o:p></o:p></pre>
<pre>DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat<o:p></o:p></pre>
<pre>a=4gRUKI2XhxFHCTSs0ELokyBuTZ700fJgxsJ2n5AJmB0%3D&reserved=0<o:p></o:p></pre>
<pre> | Extension 1138300<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-----Original Message-----<o:p></o:p></pre>
<pre>From: Jeff McCashland (He/him)<o:p></o:p></pre>
<pre>Sent: Friday, September 8, 2023 1:46 PM<o:p></o:p></pre>
<pre>To: Stefan Metzmacher <<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:metze@samba.org">metze@samba.org</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> \
<pre>; Ralph Böhme <<o:p></o:p></pre> </blockquote>
<pre><u><span style="color:blue"><a \
href="mailto:slow@samba.org">slow@samba.org</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> \
<pre><o:p> </o:p></pre> </blockquote>
<pre>Cc:<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<pre>; Microsoft Support <<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:supportmail@microsoft.com">supportmail@microsoft.com</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> \
<pre><o:p> </o:p></pre> </blockquote>
<pre>Subject: [MS-NRPC] 3.1.4.1 Session-Key Negotiation lacking details \
-<o:p></o:p></pre> <pre>TrackingID#2309080040007879<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>[support on CC, updated Subject with new SR ID]<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Hi Metze,<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>We have created SR 2309080040007879 to track this issue. I will \
look<o:p></o:p></pre> <pre>into it and get back to you.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Best regards,<o:p></o:p></pre>
<pre>Jeff McCashland (He/him) | Senior Escalation Engineer | \
Microsoft<o:p></o:p></pre> <pre>Protocol Open Specifications Team<o:p></o:p></pre>
<pre>Phone: +1 (425) 703-8300 x38300 | Hours: 9am-5pm | Time zone: \
(UTC-<o:p></o:p></pre> <pre>08:00) Pacific Time (US and Canada) Local country phone \
number found<o:p></o:p></pre> <pre>here:<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="http://suppo/">http://suppo/</a></span></u><span class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<pre>rt.microsoft.com%2Fglobalenglish&data=05%7C01%7Cjeffm%40microsoft.com%<o:p></o:p></pre>
<pre>7C0c04f797e40e47e482ff08dbb8931c2c%7C72f988bf86f141af91ab2d7cd011db47%<o:p></o:p></pre>
<pre>7C1%7C0%7C638306714208453677%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM<o:p></o:p></pre>
<pre>DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat<o:p></o:p></pre>
<pre>a=4gRUKI2XhxFHCTSs0ELokyBuTZ700fJgxsJ2n5AJmB0%3D&reserved=0<o:p></o:p></pre>
<pre> | Extension 1138300<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>-----Original Message-----<o:p></o:p></pre>
<pre>From: Stefan Metzmacher <<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:metze@samba.org">metze@samba.org</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> \
<pre><o:p> </o:p></pre> </blockquote>
<pre>Sent: Thursday, September 7, 2023 11:27 PM<o:p></o:p></pre>
<pre>To: Jeff McCashland (He/him) <<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:jeffm@microsoft.com">jeffm@microsoft.com</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> \
<pre>; Ralph Böhme <<o:p></o:p></pre> </blockquote>
<pre><u><span style="color:blue"><a \
href="mailto:slow@samba.org">slow@samba.org</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> \
<pre><o:p> </o:p></pre> </blockquote>
<pre>Cc:<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Subject: [EXTERNAL] Re: [MS-NRPC] \
DCERPC_NCA_S_FAULT_INVALID_TAG<o:p></o:p></pre> <pre>returned instead of \
STATUS_INVALID_LEVEL -<o:p></o:p></pre> \
<pre>TrackingID#2307200040007944<o:p></o:p></pre> <pre><o:p> </o:p></pre>
<pre>Hi Jeff,<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<blockquote style="border:none;border-left:solid #729FCF 1.5pt;padding:0in 0in 0in \
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt"> \
<pre>We have updated [MS-NRPC] for the next release to address this<o:p></o:p></pre> \
<pre>issue. We have added the following Behavior Note to section<o:p></o:p></pre> \
<pre>3.5.4.4.10:<o:p></o:p></pre> <pre><o:p> </o:p></pre>
<pre><197> Section 3.5.4.4.10: Windows RPC layer may return its own \
error<o:p></o:p></pre> <pre>code instead of STATUS_INVALID_LEVEL. The error code that \
a client<o:p></o:p></pre> <pre>gets depends on where the calling application is \
getting the error<o:p></o:p></pre> <pre>from:<o:p></o:p></pre>
<pre>1. If the client is running on Windows and calling Windows RPC \
APIs,<o:p></o:p></pre> <pre>they may get the Win32 error code RPC_S_INVALID_TAG ([MS- \
ERREF]<o:p></o:p></pre> <pre>section 2.2).<o:p></o:p></pre>
<pre>2. If the client is running on third-party operating systems or<o:p></o:p></pre>
<pre>getting the error code from the wire, they may get<o:p></o:p></pre>
<pre>nca_s_fault_invalid_tag (0x1C000006). ([C706-RSCP] DCE 1.1: \
Remote<o:p></o:p></pre> <pre>Procedure Call - Reject Status Codes and \
Parameters).<o:p></o:p></pre> <pre>3. The conversion between the on-the-wire \
nca_s_fault_invalid_tag<o:p></o:p></pre> <pre>and Win32 error code RPC_S_INVALID_TAG \
is specified in [MS-RPCE]<o:p></o:p></pre> <pre>Section 3.1.1.5.5.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>I hope that helps.<o:p></o:p></pre>
</blockquote>
<pre><o:p> </o:p></pre>
<pre>Yes, thanks!<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>In addition I think 3.1.4.1 Session-Key Negotiation could be much \
more<o:p></o:p></pre> <pre>verbose in a way that it would describe how safe downgrade \
is possible<o:p></o:p></pre> <pre>and how an unsafe downgrade is \
detected.<o:p></o:p></pre> <pre><o:p> </o:p></pre>
<pre>metze<o:p></o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>cifs-protocol mailing list<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre><u><span style="color:blue"><a \
href="https://list/">https://list/</a></span></u><span class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<pre>s.samba.org%2Fmailman%2Flistinfo%2Fcifs-protocol&data=05%7C01%7Cjeffm%<o:p></o:p></pre>
<pre>40microsoft.com%7C0c04f797e40e47e482ff08dbb8931c2c%7C72f988bf86f141af9<o:p></o:p></pre>
<pre>1ab2d7cd011db47%7C1%7C0%7C638306714208453677%7CUnknown%7CTWFpbGZsb3d8e<o:p></o:p></pre>
<pre>yJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C30<o:p></o:p></pre>
<pre>00%7C%7C%7C&sdata=RhwUpKut09WPrb1%2FkCcelIzwPXoG0g4u8%2B8K%2BRAKbY8%3D<o:p></o:p></pre>
<pre>&reserved=0<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
</blockquote>
<pre>--<o:p></o:p></pre>
<pre>Andrew Bartlett (he/him) <o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="https://samba.org/~abartlet/">https://samba.org/~abartlet/</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<pre>Samba Team Member (since 2001) <o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="https://samba.org/">https://samba.org/</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<pre>Samba Team Lead \
<o:p></o:p></pre> <pre><u><span style="color:blue"><a \
href="https://catalyst.net.nz/services/samba">https://catalyst.net.nz/services/samba</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<pre>Catalyst.Net Ltd<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group \
company<o:p></o:p></pre> <pre><o:p> </o:p></pre>
<pre>Samba Development and Support: <o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="https://catalyst.net.nz/services/samba">https://catalyst.net.nz/services/samba</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Catalyst IT - Expert Open Source Solutions<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>cifs-protocol mailing list<o:p></o:p></pre>
<pre><u><span style="color:blue"><a \
href="mailto:cifs-protocol@lists.samba.org">cifs-protocol@lists.samba.org</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
<pre><u><span style="color:blue"><a \
href="https://lists.samba.org/mailman/listinfo/cifs-protocol">https://lists.samba.org/mailman/listinfo/cifs-protocol</a></span></u><span \
class="MsoHyperlink"><span \
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></span></pre>
<p class="MsoNormal"><o:p> </o:p></p>
<pre><o:p> </o:p></pre>
</blockquote>
<div>
<pre>-- <o:p></o:p></pre>
<div>
<p class="MsoNormal">Andrew Bartlett \
(he/him) <a \
href="https://samba.org/~abartlet/">https://samba.org/~abartlet/</a><o:p></o:p></p> \
</div> <div>
<p class="MsoNormal">Samba Team Member (since 2001) <a href="https://samba.org/">
https://samba.org</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Team \
Lead <a \
href="https://catalyst.net.nz/services/samba">https://catalyst.net.nz/services/samba</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Catalyst.Net Ltd<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT \
group company<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Samba Development and Support: <a \
href="https://catalyst.net.nz/services/samba"> \
https://catalyst.net.nz/services/samba</a><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Catalyst IT - Expert Open Source Solutions<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>
_______________________________________________
cifs-protocol mailing list
cifs-protocol@lists.samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
--===============8094780806027396713==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic