[linux-cifs-client] Linux CIFS NTLMSSP mount failing against win2k8

Shirish Pargaonkar shirishpargaonkar at gmail.com
Tue Apr 13 17:31:39 MDT 2010


As I understand, there is

session key
MAC key
signature.

For authentication, only session key is needed.
For SMB signing, signature is needed.

session key is part of authentication blob in session setup request
and signature is part of smb/smb2 header.
(I think once session is set up).

I think for ntlm and ntlmv2 authentications, session key is calculated
in different way
but for both, MAC key and signature are calculated the same way.

I am not sure whether the way session key, MAC key, and signature are calculated
for ntlm and ntlmv2 authentication, is different for NTLMSSP
within/via SPNEGO and NTLMSSP Raw.

For smb2, I think we should discard/ignore ntlm and focus only on
utilizing ntlmv2
authentication within NTLMSSP within/via SPNEGO or Raw NTLMSSP.

So I think cifs has all the pieces to calculate

session key and MAC key (for ntlmv2 in setup_ntlmv2_rsp() and for ntlm
in SMBNTencrypt() &
                                                in cifs_calculate_mac_key())
signature (for ntlmv2 in function cifs_calc_signature2() and for ntlm
in function cifs_calculate_signature())


NTLMSSP as I understand.

Regards,

Shirish


On Tue, Apr 13, 2010 at 6:01 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Sun, 2010-04-11 at 19:40 -0400, Jeff Layton wrote:
>
>> I don't think that's right. CIFS_SESS_KEY_SIZE is 24 bytes. According
>> to the MS-NLMP document, the session key should be 16 bytes. The
>> signing key is different with NTLMSSP than with "raw" NTLM and NTLMv2.
>
> So, with NTLMSSP the 24 byte (actually variable, it is much lager for
> NTLMv2) response is not included in the MAC calculation - just use the
> 16 bytes session key only.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.
>
>


More information about the linux-cifs-client mailing list