smb signatures - per tcp session or per smb session sequence numbers?

Michael B Allen mba2000 at ioplex.com
Wed Feb 23 20:36:20 GMT 2005 

On Wed, 23 Feb 2005 11:50:18 -0700
Steven French <sfrench at us.ibm.com> wrote:

> mount with a 2nd user.  Presumably the only other obvious thing to try is
> to go back as a test to per SMB session counters - but signing both the
> 1st and 2nd smb sessions with the 1st session's session key (although
> different

The counter is initialized with the key and incremented with each request
signed. The whole thing is per tcp and makes no distinction about what
session a request is associated. See jCIFS SigningDigest.java [1].

Note that it's important to assocated the response counter with the
response so that you're using the proper value in the event that responses
are not received serially. But your probably doing that already I think
or signing would fall apart pretty easily under load.

> It is hard to have anything to compare this with - I could not get my xp
> system to mount with two different userids (probably would have to install
> Windows terminal server to try that) - do we have any Samba client

Maybe try:

  runas /u:Dom\Alice /netonly cmd
  runas /u:Dom\Bob /netonly cmd

and then run two net use commands on the same resource in each term?

> utilities which could multiplex two smb sessions over one tcp session (if
> not hopefully jCIFS works for that so I can figure out what I am doing

Yes, jCIFS does NTLM signing 100%. Try running examples/UrlReader.java like:

  $ java -Djcifs.smb.client.signingPreferred=true UrlReader \
		"smb://dom;alice:apass@192.168.2.2/share/file.txt" \
		"smb://dom;bob:bpass@192.168.2.2/share/file.txt"

This will create two sessions over the same transport with signing
provided the server does signatures and accepts NTLM authentication.

> wrong - I would hate to have to fall back to open mulitple tcp sessions
> (if that would even work at all) one for each smb session)?

Nahh, you can get it to work. Being able to multiplex sessions over
the same transport is a great scalability feature and being kernel-side
you're in a good position to take advantage of that. Do it baby!

Mike

[1] http://jcifs.samba.org/src/src/jcifs/smb/SigningDigest.java

-- 
IRC - where men are men, women are men, and the boys are FBI agents.

More information about the samba-technical mailing list