Recent AD/Kerbersos discoveries (including SMB signing)

Jeremy Allison jra at
Sat Sep 13 18:49:43 GMT 2003

On Sat, Sep 13, 2003 at 08:45:55PM +1000, Andrew Bartlett wrote:
> Just a quick note on some of the interesting things I've been
> discovering regarding kerberos:
> Using the machine account:
> - We can use our machine kerberos account, even if we joined with MSRPC
> only.
> - We can use it, even after we have changed the password.
> SMB signing:
> - If the kerberos key length (which becomes the user session key) is
> only 8 bytes, then the SMB signing algorithm just uses those 8 bytes. 
> (Currently we copy a fixed 16 bytes into the MD5 hash).
> Then we can fully conduct SMB signing on a kerberos-authenticated
> connection.
> This should allow smbclient to operate in 'signing required'
> environments, even without the new kerberos libraries. 

Is this a simple patch ? Sounds like it - in which case
can you either code it up or just tell me exactly what
needs changing and I'll code it and test it.



More information about the samba-technical mailing list