SMB Signing, kerberos, NTLMv2 TODO

Andrew Bartlett abartlet at
Wed May 7 13:05:43 GMT 2003

On Thu, 2003-05-01 at 15:18, Andrew Bartlett wrote:

> What we do know
> ---------------
> SMB signing works, for authentication using the NTLM authentication
> scheme, when not using 'extended security', and not using NTLMv2.
> NTLMv2 works, as does LMv2 for all things that don't require the
> 'session key'.  

It is my suspicion that NTLMv2 doesn't actually work (as a client) and
that we were just getting away with having working NTLMv2.


> What is unknown
> ---------------
> We don't know how to do SMB signing with NTLMv2.  This would be a
> interesting, small research project for somebody, as the possible inputs
> are pretty well known.  My guess is that we are getting the NTLMv2
> response wrong in the client, and causing the server to think we have
> not negotiated use of a session key.

This is confirmed by the fact that we can sign NTLMv2 connections to a
Win2k domain member, when the PDC is Samba (and always generates the
session key).

This is a new development - I've just commited these changes to 3.0
CVS.  The only task now is the NTLMv2 client, which should not be hard
(given TNG has an implementation, and the format is documented).

> (Adding an ethereal dissector for the NTLMv2 response would probably be
> a very good place to start, there is a description of the format in
> Implementing CIFS, and code in Samba TNG libsmb/smbencrypt.c).

This has now been implemented in CVS ethereal - big thanks to
tpot at!

Andrew Bartlett
Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list