[jcifs] Obtaining SessionKey from DC for signing
johnnykimble at gmail.com
Tue Mar 30 10:24:33 MDT 2010
Michael B Allen <ioplex <at> gmail.com> writes:
> On Tue, Mar 30, 2010 at 5:22 AM, Johnny Kimble <johnnykimble <at> gmail.com>
> > Hi all,
> > I've struggled to find specific information about this scenario online,
> > because I'm looking in the wrong places, or maybe because I'm asking the
> > questions...
> > What I don't understand is how, programmatically, a CIFS server gets a
> > MAC\session key from a domain controller in order to sign messages.
> > For example, Client and Server both require signing, and are both part of a
> > domain controlled by Domain Controller. When the Client (for example,
> > 7/Vista)
> > makes a request to the Server, the Server then has to somehow communicate
> > Domain Controller (is this pass through authentication?) and in addition to
> > authenticating the Client, the DC must also supply the Server with the
> > SessionKey so that the Server can sign messages.
> > I've been looking at various specifications, netlogon, kerberos and the gss-
> > but can't find this specific bit of information. What protocol is used
> > the Server and the Domain Controller to ask the DC to send the SessionKey,
> > MAC?
> > I've also taken a look over the samba source code, but am struggling to
> > pinpoint where this takes place.
> > Any help, advice or direction would be greatly appreciated.
> Hi Johnny,
> This is a little out of scope for this list but in simple terms the
> exact way in which a session key is generated depends on the protocol
> being used. For example JCIFS uses NTLM but there are multiple ways to
> generate the signing key that depends on what version is used, whether
> or not "key exchange" is negotiate, etc. It's non-trivial.
> But again, this is not something you need to know about to use JCIFS
> so I can't help you much with this.
> Microsoft recently published fairly detailed documentation about a lot
> of their protocols. Google for "wspp documentation". You can download
> zip files of PDFs from Microsoft's website that has all sorts of
> details about stuff like generating the session key.
Apologies - I was aware I was going off topic here a bit, but it's been
difficult to find a list where people really have a good understanding of this
Thanks a lot for your response though, I'll be sure to read up a bit more on the
MS specs for these. Implementing CIFS touched briefly on Kerberos but again, a
full discussion of it was out of its scope. I guess simplistic solutions to
these issues are not possible, as you say, it's non-trivial.
More information about the jCIFS