Samba4: Some GENSEC questions

Kai Blin k.blin at gmx.net
Sat Apr 8 12:23:16 GMT 2006 

* tridge at samba.org [08/04/06, 21:58:29]:

Tridge,

thanks for the quick answer.

> The person you really want to ask is Andrew Bartlett, but right now he
> is hiking in Tasmania. If you can wait a couple of weeks then I'm sure
> he'd be happy to help.

Yeah, he told me he'd be away for some weeks, but I decided I would try
to get as far as possible before my semester started again.

[...]

> 
> and DCERPC_REQUEST_LENGTH is the header length. The header itself is
> not encrypted as otherwise you wouldn't know how to decrypt it :-)
>
> The signing (which is often combined with sealing) does need to cover
> the whole packet to protect against tampering, so you need two data
> pointers to tell gensec about the separate signing/sealing ranges.
>

Ok, figures. I need to read up on how this would apply to NTLMSSP and SPNEGO.
 
>  > The call to gensec_seal_packet() in my test fails with
>  > NT_STATUS_INVALID_PARAMETER, from which I gather that the
>  > gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL) test on
>  > gensec.c line 782. I requested the feature when setting up the gensec,
>  > but maybe it's at the wrong place.
> 
> Do you know that the other end of the link accepted the negotiation of
> sealing? For example, if you are using NTLMSSP then you need to look
> at what capability bits came back from the other end, and if they
> included sealing. If you up the debug level a little the gensec logs
> should tell you whats going on.

Currently I'm controlling both ends of the negotiation. I figure if I'm
requesting sealing on both sides this should enable it. NTLM supports
sealing, after all. Oh well, I'll toy with this some more and wait for
Andrew to return if I can't make progress here.

Cheers,
Kai

-- 
Kai Blin, private email
Use extra care when cleaning on stairs.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/samba-technical/attachments/20060408/f027e846/attachment.bin

More information about the samba-technical mailing list