[jcifs] Obtaining SessionKey from DC for signing

Johnny Kimble johnnykimble at gmail.com
Tue Mar 30 10:24:33 MDT 2010 

Michael B Allen <ioplex <at> gmail.com> writes:

> 
> On Tue, Mar 30, 2010 at 5:22 AM, Johnny Kimble <johnnykimble <at> gmail.com> 
wrote:
> > Hi all,
> >
> > I've struggled to find specific information about this scenario online, 
maybe
> > because I'm looking in the wrong places, or maybe because I'm asking the 
wrong
> > questions...
> >
> > What I don't understand is how, programmatically, a CIFS server gets a
> > MAC\session key from a domain controller in order to sign messages.
> >
> > For example, Client and Server both require signing, and are both part of a
> > domain controlled by Domain Controller. When the Client (for example, 
Windows
> > 7/Vista)
> > makes a request to the Server, the Server then has to somehow communicate 
with
> > Domain Controller (is this pass through authentication?) and in addition to
> > authenticating the Client, the DC must also supply the Server with the
> > SessionKey so that the Server can sign messages.
> >
> > I've been looking at various specifications, netlogon, kerberos and the gss-
api
> > but can't find this specific bit of information. What protocol is used 
between
> > the Server and the Domain Controller to ask the DC to send the SessionKey, 
or
> > MAC?
> >
> > I've also taken a look over the samba source code, but am struggling to
> > pinpoint where this takes place.
> >
> > Any help, advice or direction would be greatly appreciated.
> 
> Hi Johnny,
> 
> This is a little out of scope for this list but in simple terms the
> exact way in which a session key is generated depends on the protocol
> being used. For example JCIFS uses NTLM but there are multiple ways to
> generate the signing key that depends on what version is used, whether
> or not "key exchange" is negotiate, etc. It's non-trivial.
> 
> But again, this is not something you need to know about to use JCIFS
> so I can't help you much with this.
> 
> Microsoft recently published fairly detailed documentation about a lot
> of their protocols. Google for "wspp documentation". You can download
> zip files of PDFs from Microsoft's website that has all sorts of
> details about stuff like generating the session key.
> 
> Mike
> 

Hi Mike,

Apologies - I was aware I was going off topic here a bit, but it's been 
difficult to find a list where people really have a good understanding of this 
stuff.

Thanks a lot for your response though, I'll be sure to read up a bit more on the 
MS specs for these. Implementing CIFS touched briefly on Kerberos but again, a 
full discussion of it was out of its scope. I guess simplistic solutions to 
these issues are not possible, as you say, it's non-trivial.

Thanks again,
JK

More information about the jCIFS mailing list