On Fri, May 21, 2021 at 3:44 AM Aurélien Aptel via samba-technical <samba-technical@xxxxxxxxxxxxxxx> wrote: > > Hi Hyunchul, > > The existence of multiple ASN1 decoder has been a regular complaint, > this looks nice. Have you tested it against any servers? > > I think we need to make sure it works with Windows Server (including > increased ones with the increased security flag, Steve do you remember > the name of that flag?) and Samba at least. Are you thinking about the authentication problem to Windows when a stricter registry setting is chosen for server name hardening? This involves populating the ntlmv2 response area of an NTLMSSP blob with the "Target Name" attribute ie missing MsvAvTargetNamefield and maybe also MsvAvTimestamp and NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE in MsvAvFlags. These (the target name field in particular) are required when Windows servers set the registry parm SmbServerNameHardeningLevel to 2 See e.g. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level > There is the SDC EMEA plugfest coming up, might be a good time to try it > out against other vendors as well. Yes - definitely need to try with various cases (krb5 and ntlmssp in SPNEGO) to various servers (Macs, NetApp, Windows, Azure, Samba,ksmbd etc) -- Thanks, Steve
