[jcifs] MAC Signing and NTLMSSP over HTTP.

Christopher R. Hertel crh at ubiqx.mn.org
Mon Feb 14 04:05:51 GMT 2005 

On Sun, Feb 13, 2005 at 10:24:30PM -0500, Michael B Allen wrote:
> Christopher R. Hertel said:
> > Okay, I've been digging through the docs and I can see that I'm close to a
> > clue, but not quite there yet...
> >
> > How does SMB signing work (if at all) with NTLMSSP over HTTP?
> 
> With NTLM signatures you need the plain text equivalent hash to create the
> signing digest and that is never provided by NTLMSSP so signing is not
> possible in this case.

Yeah, I figured that would be the case but wasn't sure.  Thanks.

> However, signatures are established after the first seccessful
> SessionSetup of an authenticated user (ie. not "null" or "GUEST) and does
> not change thereafter. So jCIFS just uses the default creds to setup an
> initial session with signing so that the additional SessionSetups created
> with NTLMSSP info are okay.

Okay... the "default creds"...  If I understand what I've read so far in 
the docs, you add a username/password pair to a file on the 
web-server-side.  Are those the credentials used to create the signatures?

> Note that it has been observed that NT4 at least (don't know about W2K+)
> does not actually check the signatures in SessionSetup requests! So you
> can get away with authenticating multiple sets of credentials even if the
> server requires signing. The Logoff's (or any other type of request) will
> generate signing errors but if you're just authenticating users who cares?

What happens if you're doing things like accessing files (sort of like 
Davenport does)?  In that case, you'd need the preauthentication, yes?

> But to be on the safe side we always recommend using "preauthentication"
> credentials.

I think I'm starting to catch on.  Let me know where I'm off course...

Thanks!

Chris -)-----

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the jcifs mailing list