Recent AD/Kerbersos discoveries (including SMB signing)

Andrew Bartlett abartlet at
Sat Sep 13 10:45:58 GMT 2003

Just a quick note on some of the interesting things I've been
discovering regarding kerberos:

Using the machine account:
- We can use our machine kerberos account, even if we joined with MSRPC
- We can use it, even after we have changed the password.

SMB signing:
- If the kerberos key length (which becomes the user session key) is
only 8 bytes, then the SMB signing algorithm just uses those 8 bytes. 

(Currently we copy a fixed 16 bytes into the MD5 hash).

Then we can fully conduct SMB signing on a kerberos-authenticated

This should allow smbclient to operate in 'signing required'
environments, even without the new kerberos libraries. 

The next step is to allow password etc to be 'sealed' with this
shortened session key - I've not quite sure how that quite works yet.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list