Bug 11892 - MS-RPC authentication with “Security Context Multiplexing” does not work
MS-RPC authentication with “Security Context Multiplexing” does not work
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes
4.3.7
x64 Linux
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks: 7113
  Show dependency treegraph
 
Reported: 2016-05-03 16:04 UTC by Stephan Hendl
Modified: 2016-05-03 20:45 UTC (History)
1 user (show)

See Also:


Attachments
debug logs of Cisco ISE (17.86 KB, text/plain)
2016-05-03 16:05 UTC, Stephan Hendl
no flags Details
tcpdump of communication between Ciso ISE and Samba4 (19.60 KB, application/vnd.tcpdump.pcap)
2016-05-03 16:06 UTC, Stephan Hendl
no flags Details
debug level 10 log of Samba4 (log.samba) (3.64 MB, application/zip)
2016-05-03 16:10 UTC, Stephan Hendl
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stephan Hendl 2016-05-03 16:04:34 UTC
Hi all,
 
we plan to use Samba4 (samba-4.3.7) as well as Cisco Identity Service Engine (ISE-1.4) for authentication purpuses in our WLAN environment with PEAP and MS-ChapV2. In this scenario the ISE asks the Samba4 for verifying the user credentials via MS-RPC. 

 
Joning the ISE into Samba4 works well as well as Kerberos-authentication. Unfortunately MS-RPC-authentication (which is required for MS-ChapV2) does not work. The reason is that Cisco uses the MS-RPC protocol feature called “Security Context Multiplexing” (https://msdn.microsoft.com/en-us/library/cc243716.aspx). Altough the ISE should proof whether Samba4 can handle that feature or not the ISE assumes that all Active Directory implementations can handle those requests and uses them. Unfortunately Samba4 cannot deal with that… 

Logfiles enclosed.

Regards,
Stephan
Comment 1 Stephan Hendl 2016-05-03 16:05:14 UTC
Created attachment 12059 [details]
debug logs of Cisco ISE
Comment 2 Stephan Hendl 2016-05-03 16:06:50 UTC
Created attachment 12060 [details]
tcpdump of communication between Ciso ISE and Samba4

Cisco ISE: 10.142.235.93
Samba4: 10.142.223.1
Packet 22 is relevant
Comment 3 Stephan Hendl 2016-05-03 16:10:02 UTC
Created attachment 12061 [details]
debug level 10 log of Samba4 (log.samba)
Comment 4 Stefan Metzmacher 2016-05-03 20:45:41 UTC
(In reply to Stephan Hendl from comment #3)

Thanks for the captures it's pretty clear, bug #7113
contains a similar issue.