[jcifs] MAC Signing and NTLMSSP over HTTP.

[Michael B Allen]

On Sun, 13 Feb 2005 22:50:45 -0600
"Christopher R. Hertel" <crh at ubiqx.mn.org> wrote:

> On Sun, Feb 13, 2005 at 11:22:47PM -0500, Michael B Allen wrote:
> > Christopher R. Hertel said:
> > >> so that the additional SessionSetups
> > >> created
> > >> with NTLMSSP info are okay.
> > >
> > > Okay... the "default creds"...  If I understand what I've read so far
> > > in the docs, you add a username/password pair to a file on the
> > > web-server-side.  Are those the credentials used to create the
> > > signatures?
> > 
> > Right. Well the creds are used to created the digest after the first
> > successfull SessionSetup and the digest is used to generate the
> > signatures for individual SMBs from then on.
> 
> So do you have to use those creds to perform the first SessionSetup?  How 
> does the CIFS server know which credentials to use for signing?

Yes. When the NTLM HTTP Authentication filter wants to authenticate
someone against a DC the jcifs.smb.client.{domain,username,password}
creds are used to do the first SessionSetup after which a SigningDigest is
created with the plain text equivalent password hash which was generated
directly from jcifs.smb.client.password. The server should create the
same SigningDigest since it also knows the plain text equivalent password
hash because it either has it locally in it's SAM database or it got
it from the DC over the NETLOGON pipe. Now the original authentication
proceeds without worrying about signing because it's already setup on
that transport. Note that if we're load balancing or the client decides
to communicate with a different server that requires signing we have to
do "preauthentication" [1] again. Of course all of this will probably
go away in 2.0 when we do Kerberos.

> Assuming NTLMSSP (which is what I have to work with), what I *think* this
> leads to is that the web-server-side jCIFS app could (if I'm not off my
> tree) perform an initial SessionSetupAndX with the CIFS server and
> establish the digest.  That digest would then be used for any subsequent 
> SessionSetupAndX's between the web server and the CIFS server.

Right. Actually once the signing digest is installed that transport
is good for *any* type of SMB. I don't think Davenport supports
preauthentication but NetworkExplorer might.

The code for this is actually pretty clear. Just search in
SmbTransport.java and SmbSession.java for 'digest'. You'll see the
transport's digest member is initially null but in SmbSession can be
installed after which it won't be null and the sign/verify code kicks in.

> Am I on the right track?

Yeah. You've been on the right track the whole time so far.

Mike

[1] Not to be confused with Kerberos "preauthentication". Our usage of
preauthentication is totally unique to jCIFS (I think).