[cifs-protocol] Session keys are not always 16 bytes long

[Hongwei Sun]

Andrew,

  Thanks for the information provided.  We successfully reproduced and debugged the behavior of SMB signing between Samba Smbclient and Windows server using AES256 session key(32 bytes).   The outcome of live debugging proved that SMB signing is using entire 32 bytes session key, just as you reported initially.  The product team also confirmed this behavior.  We will update MS-SMB document accordingly.  

  Please let us know if you have any further question regarding this topic.

Thanks!  

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Sunday, November 30, 2008 8:53 PM
To: Hongwei Sun
Cc: Stefan (metze) Metzmacher
Subject: RE: [cifs-protocol] Session keys are not always 16 bytes long

On Tue, 2008-11-25 at 15:52 -0800, Hongwei Sun wrote:
> Andrew,
> 
>    As per our discussion during conference call, I would like to run testing on Samba with Windows server for session key length used for SMB signing.  Can I run smbtorture to see the behavior ?  If so, what test option should I select ?   How can I configure it to use Kerberos with AES256 ?  Use Krb5.conf ?   If you could point me to the source code file and lines, it will be helpful for me too.

I suggest running just smbclient, to a windows server that enforces signing, with 'smbclient //myserver/share -d11 -k yes -Uuser%pass' as the command line.  This should trigger the behaviour, and print the key if you are on a modern linux distro.  

You must have compiled Samba using 'make clean && ./configure --enable-developer && make all'.

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.