Authentication through transitive trusts

Anthony Liguori aliguor at
Fri Jul 18 21:34:02 GMT 2003

> 1. Windows sends back a session key of 0 in the NegProt response, Samba
> does not.

As I've mentioned on #samba-technical, a WinXP client will use KRB5 with 
SPNEGO when Samba's acting as an AD DC without any modifications to 
NegProt though.  An initial theory might be that NTLMSSP is neg'd because 
the session key is specified requiring since a new session key has to be 
neg'd anyway to do mutual auth when using KRB5.  Since a client knows that 
the Samba server would be an AD DC way before NegProt, this wouldn't be an 
issue and the client might not rely on it.

Here's a patch that changes the session key to be 0.  For an AD DC, it 
doesn't make a difference (the client still negs KRB5 with SPNEGO).  I 
don't have a set-up to test Samba as a member server (I'll try to set 
something up this weekend though) but perhaps someone else could test this 
to determine if this is the cause.

The patch is included (this patch of course isn't a solution to the 
problem, just testing the session key theory).

Index: source/smbd/negprot.c
RCS file: /cvsroot/samba/source/smbd/negprot.c,v
retrieving revision
diff -u -r1.62.2.11 negprot.c
--- source/smbd/negprot.c       3 Jul 2003 19:11:31 -0000
+++ source/smbd/negprot.c       18 Jul 2003 19:13:23 -0000
@@ -287,7 +287,11 @@
        SSVAL(outbuf,smb_vwv2+1,1); /* num vcs */
        SIVAL(outbuf,smb_vwv3+1,max_recv); /* max buffer. LOTS! */
        SIVAL(outbuf,smb_vwv5+1,0x10000); /* raw size. full 64k */
+#if 1
+       SIVAL(outbuf,smb_vwv7+1,0x00000000); /* session key */
        SIVAL(outbuf,smb_vwv7+1,sys_getpid()); /* session key */
        SIVAL(outbuf,smb_vwv9+1,capabilities); /* capabilities */

Anthony Liguori
Linux/Active Directory Interoperability
Linux Technology Center (LTC) - IBM Austin
E-mail: aliguor at
Phone: (512) 838-1208
Tie Line: 678-1208

More information about the samba-technical mailing list