[linux-cifs-client] Linux CIFS NTLMSSP mount failing against win2k8

Andrew Bartlett abartlet at samba.org
Wed Apr 14 03:19:22 MDT 2010


On Tue, 2010-04-13 at 23:45 -0500, Shirish Pargaonkar wrote:
> On Tue, Apr 13, 2010 at 6:01 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> > On Sun, 2010-04-11 at 19:40 -0400, Jeff Layton wrote:
> >
> >> I don't think that's right. CIFS_SESS_KEY_SIZE is 24 bytes. According
> >> to the MS-NLMP document, the session key should be 16 bytes. The
> >> signing key is different with NTLMSSP than with "raw" NTLM and NTLMv2.
> >
> > So, with NTLMSSP the 24 byte (actually variable, it is much lager for
> > NTLMv2) response is not included in the MAC calculation - just use the
> > 16 bytes session key only.
> 
> Does this apply to both ntlm and ntlmv2 authentications because for ntlm
> authentication, session key is 16 bytes but not for ntlmv2 authentication?

NTLMv2 also produces a 16 byte session key, the same as all NTLM
authentication variants. 

> I thought MAC key is generated by concatenating the smb session key
> with ntlm/ntlmv2
> client response to the server challenge.

It is, except that when NTLMSSP is used, the client response is omitted
(the NTLMSSP layer isn't broken to get at the client response). 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/linux-cifs-client/attachments/20100414/dfbc0519/attachment-0001.pgp>


More information about the linux-cifs-client mailing list