NTLMv2 working! (was: Re: SMB Signing, kerberos, NTLMv2 TODO)

Andrew Bartlett abartlet at samba.org
Fri May 9 15:27:13 GMT 2003 

On Wed, 2003-05-07 at 23:05, Andrew Bartlett wrote:
> On Thu, 2003-05-01 at 15:18, Andrew Bartlett wrote:
> 
> > What we do know
> > ---------------
> > 
> > SMB signing works, for authentication using the NTLM authentication
> > scheme, when not using 'extended security', and not using NTLMv2.
> > 
> > NTLMv2 works, as does LMv2 for all things that don't require the
> > 'session key'.  
> 
> It is my suspicion that NTLMv2 doesn't actually work (as a client) and
> that we were just getting away with having working NTLMv2.

I've just committed to Samba 3.0 the changes required to really support
NTLMv2 as a client.  This is thanks to the hard work of many, including
Tim Potter, the TNG folks who did this ages ago and Chris Hertel, for
writing it up so painstakingly in his book.

> > What is unknown
> > ---------------
> > 
> > We don't know how to do SMB signing with NTLMv2.  This would be a
> > interesting, small research project for somebody, as the possible inputs
> > are pretty well known.  My guess is that we are getting the NTLMv2
> > response wrong in the client, and causing the server to think we have
> > not negotiated use of a session key.
> 
> This is confirmed by the fact that we can sign NTLMv2 connections to a
> Win2k domain member, when the PDC is Samba (and always generates the
> session key).
> 
> This is a new development - I've just commited these changes to 3.0
> CVS.  The only task now is the NTLMv2 client, which should not be hard
> (given TNG has an implementation, and the format is documented).

We can now engage in an SMB signed exchange with Win2k, using NTLMv2. 
Note, the NTLMSSP question is still very much open...

> > (Adding an ethereal dissector for the NTLMv2 response would probably be
> > a very good place to start, there is a description of the format in
> > Implementing CIFS, and code in Samba TNG libsmb/smbencrypt.c).
> 
> This has now been implemented in CVS ethereal - big thanks to
> tpot at samba.org!

This has been extended, and has proved to be very useful in advancing
this work.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030510/71b99a5f/attachment.bin

More information about the samba-technical mailing list