[Patch] Always start with the NTLMSSP_NEGOTIATE_ALWAYS_SIGN
flag enabled
Kai Blin
kai.blin at gmail.com
Fri Nov 17 08:44:12 GMT 2006
On Wednesday 15 November 2006 23:21, Jeremy Allison wrote:
> > Testing in Windows shows that (at least for Windows 2000) NTLM always
> > tries the NTLMSSP_NEGOTIATE_ALWAYS_SIGN flag. It is needed to do the
> > dummy signing RPC uses if NTLMSSP_NEGOTIATE_SIGN is not negotiated.
> >
> > This patch always enables that flag at first and handles switching it of
> > if the communication partner does not support it.
>
> Can you check Windows 2003 also. The changes I made to the
> flags in the ntlmssp code were designed to match w2k3.
>
> I'd like to know if this is correct.
I don't have a Windows 2003 box myself (for Wine, it's usually fine if tests
run on one version of Windows ;) ), but I extended a test case I already had
and asked some folks to run it on a win2k3 box for me.
Here's Hans Leidekker's results:
This is from a box running Windows Server 2003 Enterprise Edition,
Service Pack 1:
ntlm.c:311:Running setupClient
ntlm.c:608:No ISC flags set, NTLMSSP flags are 0xa2088207
ntlm.c:627:ISC_REQ_CONNECTION flag set, NTLMSSP flags are 0xa2088207
ntlm.c:646:ISC_REQ_EXTENDED_ERROR flag set, NTLMSSP flags are 0xa2088207
ntlm.c:665:ISC_REQ_MUTUAL_AUTH flag set, NTLMSSP flags are 0xa2088207
ntlm.c:684:ISC_REQ_USE_DCE_STYLE flag set, NTLMSSP flags are 0xa2088207
ntlm.c:703:ISC_REQ_DELEGATE flag set, NTLMSSP flags are 0xa2088207
ntlm.c:722:ISC_REQ_INTEGRITY flag set, NTLMSSP flags are 0xe2088297
ntlm.c:741:ISC_REQ_REPLAY_DETECT flag set, NTLMSSP flags are 0xe2088297
ntlm.c:760:ISC_REQ_SEQUENCE_DETECT flag set, NTLMSSP flags are 0xe2088297
ntlm.c:779:ISC_REQ_CONFIDENTIALITY flag set, NTLMSSP flags are 0xe20882b7
The ISC flags are a bitmask passed to the InitializeSecurityContext() function
that creates the client side session handle.
If no flags are specified, the NTLMSSP flags set are
0x80000000 Negotiate 128
0x20000000 Negotiate 56
0x02000000 Unknown
0x00080000 Negotiate NTLM2 Key
0x00008000 Negotiate Always Sign
0x00000200 Negotiate NTLM
0x00000004 Request Target
0x00000002 Negotiate OEM
0x00000001 Negotiate Unicode
If ISC_REQ_INTEGRITY (i.e. signing) is requested from SSPI
(ISC_REQ_REPLAY_DETECT and ISC_REQ_SEQUENCE_DETECT seem to do the same), then
the following flags are added:
0x40000000 Negotiate Key Exchange
0x00000080 Negotiate Lan Manager Key
0x00000010 Negotiate Sign
If ISC_REQ_CONFIDENTIALITY (i.e. sealing) is requested from SSPI, it adds
0x00000020 Negotiate Seal
You will note that the second-least-significant byte always is 0x82, so it
always asks for "Negotiate Always Sign".
Cheers,
Kai
--
Kai Blin, <kai Dot blin At gmail Dot com>
WorldForge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin/
--
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20061117/0548f1df/attachment.bin
More information about the samba-technical
mailing list