"Secure" channel demystifying?

Henrik Nordstrom hno at squid-cache.org
Sat Jul 10 11:30:40 GMT 2004

On Wed, 7 Jul 2004, Dimitry V. Ketov wrote:

> As I can see, it's just normal LM/NTLM challeges and respones inside NETLOGON "secure" channel

Yes, the NTLM challenges/responses is the same as NTLM would not work
otherwise. But the final response (not the NTLM response) carrries 
additional information.

> copied from client/server LM/NTLM authetication.

But not in the same order.. Look how the challenge is generated. This mode
of the NTLM/LANMAN protocols is only available from the domain controller
because of the trust chain established by the domain computer account.

> Where is that "protection" ? :(

It is not the NTLM challenge/response which is protected, this is public
information. What is protected is the user session key contained within
the netlogin response. Not strongly protected, but protected. The user 
session key is not part of NTLM but is used in other aspects related to 

As discussed before real security is only provided if signing & sealing is
enabled on the secure channel (which it is by default). The capability of
signing & sealing is the difference between the original NT4 style domain
logins and the secure channel used in NT4 SP4 and later..

> Furthermore, it seems doesn't conform to NETLOGON authentication, stated in http://www.samba.org/samba/devel/docs/html/Samba-Developers-Guide.html#id2878012

In what sense?


More information about the samba-technical mailing list