Re: [PATCH v2] cifs: decoding negTokenInit with generic ASN1 decoder
From: Steve French
Date: Sat May 22 2021 - 22:36:24 EST
On Fri, May 21, 2021 at 3:44 AM Aurélien Aptel via samba-technical
<samba-technical@xxxxxxxxxxxxxxx> wrote:
>
> Hi Hyunchul,
>
> The existence of multiple ASN1 decoder has been a regular complaint,
> this looks nice. Have you tested it against any servers?
>
> I think we need to make sure it works with Windows Server (including
> increased ones with the increased security flag, Steve do you remember
> the name of that flag?) and Samba at least.
Are you thinking about the authentication problem to Windows when a
stricter registry setting is chosen for server name hardening?
This involves populating the ntlmv2 response area of an NTLMSSP blob
with the "Target Name" attribute ie missing MsvAvTargetNamefield and
maybe also
MsvAvTimestamp and NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE in
MsvAvFlags. These (the target name field in particular) are required
when Windows servers set the registry parm SmbServerNameHardeningLevel
to 2
See e.g. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level
> There is the SDC EMEA plugfest coming up, might be a good time to try it
> out against other vendors as well.
Yes - definitely need to try with various cases (krb5 and ntlmssp in
SPNEGO) to various servers (Macs, NetApp, Windows, Azure, Samba,ksmbd
etc)
--
Thanks,
Steve