SMB signing and 2ROT13

Dave Daugherty dave.daugherty at centrify.com
Fri Dec 8 19:52:55 GMT 2006


I saw this problem when implementing SMB signing on a non Samba product
when working against a windows 2000 service pack 2.
The windows server negotiated signing, but in fact it did not sign the
last session setup and X response and just reflected back what I sent.
My workaround was to check if it was the sessionSetupAndX response
message and if it reflected back my last signature.

In this case I continued to sign my packets, but stopped checking the
signatures from the windows 2000 server.

Dave Daugherty
Centrify Corp

> Matthew Geddes Sent: Friday, December 08, 2006 9:59 AM
> Subject: SMB signing and 2ROT13

> Hi all,

> I've seen a problem here with a Windows 2003 Server R2 PDC (as well as

> Windows 2000 Server) where client signing is set either to auto or 
> mandatory and the Windows 2003 policy is left as mandatory (the
default).

> The issue is that packet captures show SMB signing is negotiated, so 
> Samba starts signing packets. Windows replies to our SMBs, but places 
> the same signature from our request in the reply. We're expecting a 
> different signature and barf. In the case where Samba is configured to

> use signing where possible, but not mandate it, we try to back off and

> not use signing, but Windows still mandates it.

> Apart from bit 3 and possibly bit 12 in flags2, is there anything else

> that needs to be done to negotiate signing?

> Has anyone seen this before? It certainly looks like a problem with
the 
> Windows DC. I'm running 3.0.23c FWIW.

> The problem seems to come and go and I haven't yet worked out how to 
> reproduce it. Any suggestions would be appreciated.

> thx,
> Matt



More information about the samba-technical mailing list