Network and Storage Protocols

Ontap9.3 - SMB Session Setup - Krb AP-REP Duplicate resp token as mechListMIC

aswchand
2,885 Views

Server: NetApp Ontap 9.3 Server

Protocol: SMB2 

Command: SMB2 Session Setup

 

We are seeing an issue with Netapp Ontap 9.3 server's Session Setup Response when using Kerberos Authentication, in the AP-REP response token, it is sending a duplicate SPNEGO Response token in the mechListMIC field instead of sending the MIC signature. Please refer the left side pane of the attached image for the buggy packet Vs right side for the correct one.

As a result, clients trying to parse and do MIC-verification will fail it as a defective token.

 

A similar issue was also seen with Windows 2000 Server.

https://krbdev.mit.edu/rt/Ticket/Display.html?id=6726

 

So looks like NetApp also has to fix this.

The heimdal gssapi has provided a way to work around (and skip MIC Verification) by safely omiting this buggy spnego token, but the server has to send a OID flag "BUGGY SPNEGO" for clients to safe-omit this mic-verification.

 

Refer github diff at

https://github.com/heimdal/heimdal/pull/668/commits/8db8a2137632624aed05bf6100e9033e2c6cc0d0

 

File name: lib/gssapi/spnego/init_sec_context.c  

Look for the comment lines below:

/* ...unless its a windows 2000 server that sends the
* responseToken inside the mechListMIC too. We only
* accept this condition if would have been safe to omit
* anyway. */

 

 

1 REPLY 1

Mjizzini
2,560 Views

Thank you for sharing your findings.

Are you experiencing it with any other Ontap version? 

Public