smb signing and win2k3

Andrew Bartlett abartlet at
Wed May 21 09:19:37 GMT 2003

On Tue, May 20, 2003 at 05:22:33PM +0200, Volker Lendecke wrote:
> On Mon, May 19, 2003 at 02:02:29PM -0500, Steven French wrote:
> > Andrew Bartlett wrote
> > >This might imply SMB
> > >signing, which we don't support. In particular, we know very little
> > >about the NTLMSSP variant of SMB signing :-(
> > 
> > Interestingly putting Windows 2003 Server in domain mode enables signing
> > (which is not required to access the server before you run the
> > ActiveDirectory promo wizard) but as we saw at Connectathon & the CIFS
> > conference this breaks most if not all of the clients, I will have my work
> > cut out getting the cifs vfs code for this working and accepted by Linus
> > before 2.5 goes gold (so we have a working Linux client to access Windows
> > 2003 Domain Controllers)
> An alternative I've thought about setting 'use spnego = no' as a
> default. In the same manner as smbd refuses 'security = domain' with
> 'encrypt passwords = no' we could then refuse 'security = ads' without
> 'use spnego = yes'. This way we would be able to connect to a W2k3 DC
> by default.

SMB signing is only a client-side issue for the moment, and even this is
incomplete.  We can certaily adjust the way the client-side options that
control this work. Unfortunetly we only get to find out the server requires
signing after we have chosen to use/not use SPNEGO as a client. 

The correct client-side option is 'client use spnego'.  

Andrew Bartlett

More information about the samba-technical mailing list