On 12/13/06, Xiaoguang Liu <syslxg@xxxxxxxxx> wrote:
hi, I captured a trace between windows XP and a NAS box. the smb sesstion
setup andx reponse packet (fram 8 in attachment) is interesting. Two blobs,
responseToken and mechListMIC, seem Kerberos ap_rep blob. But wireshark did
not parsered them out. Why? Does the Gssapi on the NAS box does not align to
some RFCs?
Entirely possible.
What NAS device is this? Can you provide the vendor and model names
for my curiosity?
If you tell me what box and OS is running on 10.24.8.44 then I will
check in the workaround to allow wireshark to decode this blob.
The reason wireshark does not decode the blobs are that the SPNEGO
implementation in that box is "unusual".
The SPNEGO NegTokenTarg contains a responseToken which indeed cotnains
a KRB5 AP_REP.
However, the NegTokenTarg does NOT contain any supportedMech field to
describe what the content of the responseToken is.
This looks pretty broken to me.
Does windows clients really accept this response ?