Actions
Bug #15509
closed
SMB server SPNEGO fails with NEGOEX
Start date:
Due date:
% Done:
100%
Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
External Bug:
racktop:BSR-12184
Description
The customer has Windows 10 clients with the (add-on) subscription version of Windows Defender installed (which is apparently different from the ordinary version of Windows Defender). With that add-on package, these clients send SPNEGO with a list of mechanisms including either:
- Kerberos
- Kerberos (NT)
- NEGOEX
- NTLMSSP
- NEGOEX
- NTLMSSP
With the first list, we select Kerberos and all goes fine.
With the second list, we try the first mechanism and find that we don't have support for that mechanism. At that point we give up and return "invalid parameter". We should instead return an SPNEGO response that proposes use of one of the other mechanisms in the list sent by the client (eg. we should select NTLMSSP). Details on how this works are in RFC-4178:
https://www.rfc-editor.org/rfc/rfc4178.txt
and the MS-SPNG spec.
Testing:
Verified with pcap that the client initiates session setup with NEGOEX, and responds with NTLMSSP as a supported mechanism.
Has been in production for few months.
Updated by Toomas Soome 2 months ago
- Description updated (diff)
- Status changed from In Progress to Pending RTI
- External Bug set to racktop:BSR-12184
Updated by Electric Monk 2 months ago
- Status changed from Pending RTI to Closed
- % Done changed from 90 to 100
git commit cc86afee48db3344a3a0f1ebd01bfcf9cb38bf5b
commit cc86afee48db3344a3a0f1ebd01bfcf9cb38bf5b
Author: Gordon Ross <gwr@racktopsystems.com>
Date: 2023-04-04T20:12:24.000Z
15509 SMB server SPNEGO fails with NEGOEX
Reviewed by: Jerry Jelinek <gjelinek@racktopsystems.com>
Reviewed by: Andy Stormont <andyjstormont@gmail.com>
Reviewed by: Albert Lee <alee@racktopsystems.com>
Reviewed by: Bill Sommerfeld <sommerfeld@alum.mit.edu>
Approved by: Dan McDonald <danmcd@mnx.io>
Actions