[jcifs] Win 2003 support?

Michael B Allen mba2000 at ioplex.com
Tue Sep 2 13:32:40 EST 2003

>>>I was doing some work on enabling signing with jCIFS; I'll dig it up and
>>>see what I can get going.
>> 	That would be nice :)
> Hmmm... even if we get signing working, we will still see some issues.
> Enabling signing will allow us to communicate with servers which require
> SMB signing; however, passthrough authentication *won't* work.  The
> reason is that the user session key (used to sign the SMBs) is based on
> the password *hash*; in passthrough authentication, all we have is the
> password *response*.

So why are we different from IIS? Will IE not fully participate in the
NTLM netgotiation and accept the Negotiate NTLM2 Key flag? Meaning can we
just marshall the tokens back and fourth and only decode/encode
decrypt/encrypt as little as necessary?

> We can probably still get away with doing simple authentication using
> external hashes; signing doesn't actually start until the first
> SessionSetupAndX response (at which point the authentication has been
> validated).  But subsequent file operations will fail, since we will be
> unable to calculate the session key properly.
> In short, this means that Davenport, NetworkExplorer, etc. still won't
> work with signing enabled.  "Normal" SmbFiles (created with a password),
> however, *would* work, as would Davenport with HTTP Basic authentication
> (as the password is available).
> The complete solution would be to implement RPC NetLogon, but we're a
> ways from that; even once simple RPC functionality is in, that's one of
> the more difficult ones to implement

Why, is the NetLogon RPC not subject to signing/sealing?

> (as it is my understanding that it
> requires SecureChannel encryption to the domain controller).

Err, I thought SecureChannel was just another way of describing sealing.
Does the sealing described in your NTLM document apply to SMB
signing/sealing? What's is SecureChannel?


More information about the jcifs mailing list