[jcifs] RE: LMv2 signing fix

eglass1 at comcast.net eglass1 at comcast.net
Tue Oct 7 19:09:52 EST 2003

> Eric,
> You cited Chris's documentation that signing does not occur with GUEST
> credentials. However, if signing is negotiated the GUEST login
> subsequent operations fail. It looks like the server want's signing. If
> signing *is* used for GUEST signature verification, the initial
> verification, trows into using the LMV2_CROSSDOMAIN_KEY and fails with
> that too.

I've observed the "anonymous" login skipping signing; I haven't fooled around
with guest too much.  I would assume (based on your observations) that signing
is done (but apparently not with the key we end up calculating).  You mentioned
in your other message that subsequent operations are verified successfully
with good credentials, but implied that the sequence count isn't reset
(I think); this is interesting, because it indicates that a "real" login
changes the signing key.  From what I observed, an initial login would set the
signing key and subsequent sessions would use the same key.  This would appear
to indicate that guest logins are treated as a special case.  Does this match
what you are seeing?

The fallback to LMV2_CROSSDOMAIN_KEY is more of a last-ditch effort (i.e., if
the "normal" key fails, see if that one happens to work).  The verification
check could be further refined to say, "if normal verification fails, and
lmCompatibility is set to 3+, then try the cross-domain key", which is more
accurate; but since we're already failing at that point I figured we might as
well just go ahead and try it.


More information about the jcifs mailing list