Recent AD/Kerbersos discoveries (including SMB signing)
Andrew Bartlett
abartlet at samba.org
Sat Sep 13 10:45:58 GMT 2003
Just a quick note on some of the interesting things I've been
discovering regarding kerberos:
Using the machine account:
- We can use our machine kerberos account, even if we joined with MSRPC
only.
- We can use it, even after we have changed the password.
SMB signing:
- If the kerberos key length (which becomes the user session key) is
only 8 bytes, then the SMB signing algorithm just uses those 8 bytes.
(Currently we copy a fixed 16 bytes into the MD5 hash).
Then we can fully conduct SMB signing on a kerberos-authenticated
connection.
This should allow smbclient to operate in 'signing required'
environments, even without the new kerberos libraries.
The next step is to allow password etc to be 'sealed' with this
shortened session key - I've not quite sure how that quite works yet.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030913/17c53189/attachment.bin
More information about the samba-technical
mailing list