Recent AD/Kerbersos discoveries (including SMB signing)
Jeremy Allison
jra at samba.org
Sat Sep 13 18:49:43 GMT 2003
On Sat, Sep 13, 2003 at 08:45:55PM +1000, Andrew Bartlett wrote:
> Just a quick note on some of the interesting things I've been
> discovering regarding kerberos:
>
> Using the machine account:
> - We can use our machine kerberos account, even if we joined with MSRPC
> only.
> - We can use it, even after we have changed the password.
>
> SMB signing:
> - If the kerberos key length (which becomes the user session key) is
> only 8 bytes, then the SMB signing algorithm just uses those 8 bytes.
>
> (Currently we copy a fixed 16 bytes into the MD5 hash).
>
> Then we can fully conduct SMB signing on a kerberos-authenticated
> connection.
>
> This should allow smbclient to operate in 'signing required'
> environments, even without the new kerberos libraries.
Is this a simple patch ? Sounds like it - in which case
can you either code it up or just tell me exactly what
needs changing and I'll code it and test it.
Thanks,
Jeremy.
More information about the samba-technical
mailing list