[jcifs] MAC Signing and NTLMSSP over HTTP.

[Christopher R. Hertel]

On Sun, Feb 13, 2005 at 11:22:47PM -0500, Michael B Allen wrote:
> Christopher R. Hertel said:
> >> so that the additional SessionSetups
> >> created
> >> with NTLMSSP info are okay.
> >
> > Okay... the "default creds"...  If I understand what I've read so far in
> > the docs, you add a username/password pair to a file on the
> > web-server-side.  Are those the credentials used to create the signatures?
> 
> Right. Well the creds are used to created the digest after the first
> successfull SessionSetup and the digest is used to generate the signatures
> for individual SMBs from then on.

So do you have to use those creds to perform the first SessionSetup?  How 
does the CIFS server know which credentials to use for signing?

> > What happens if you're doing things like accessing files (sort of like
> > Davenport does)?  In that case, you'd need the preauthentication, yes?
> 
> I don't think Davenport supports signatures. It supports Basic
> authentication though so in that case it will work because you have the
> password. But yes, preauthentication is absolutely necessary if you're
> doing NTLMSSP because you don't have the plain text equivalent password
> hash.

Assuming NTLMSSP (which is what I have to work with), what I *think* this
leads to is that the web-server-side jCIFS app could (if I'm not off my
tree) perform an initial SessionSetupAndX with the CIFS server and
establish the digest.  That digest would then be used for any subsequent 
SessionSetupAndX's between the web server and the CIFS server.

Am I on the right track?

Chris -)-----

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org