[jcifs] RE: LMv2 signing fix

[eglass1 at comcast.net]

> Eric,
> 
> You cited Chris's documentation that signing does not occur with GUEST
> credentials. However, if signing is negotiated the GUEST login
> SMB_COM_SESSION_SETUP_ANX/SMB_COM_TREE_CONNECT_ANDX response is signed and
> subsequent operations fail. It looks like the server want's signing. If
> signing *is* used for GUEST signature verification, the initial
> SMB_COM_SESSION_SETUP_ANX/SMB_COM_TREE_CONNECT_ANDX response fails
> verification, trows into using the LMV2_CROSSDOMAIN_KEY and fails with
> that too.
> 

I've observed the "anonymous" login skipping signing; I haven't fooled around
with guest too much.  I would assume (based on your observations) that signing
is done (but apparently not with the key we end up calculating).  You mentioned
in your other message that subsequent operations are verified successfully
with good credentials, but implied that the sequence count isn't reset
(I think); this is interesting, because it indicates that a "real" login
changes the signing key.  From what I observed, an initial login would set the
signing key and subsequent sessions would use the same key.  This would appear
to indicate that guest logins are treated as a special case.  Does this match
what you are seeing?

The fallback to LMV2_CROSSDOMAIN_KEY is more of a last-ditch effort (i.e., if
the "normal" key fails, see if that one happens to work).  The verification
check could be further refined to say, "if normal verification fails, and
lmCompatibility is set to 3+, then try the cross-domain key", which is more
accurate; but since we're already failing at that point I figured we might as
well just go ahead and try it.


Eric