[Patch] Always start with the NTLMSSP_NEGOTIATE_ALWAYS_SIGN flag enabled

Kai Blin kai.blin at gmail.com
Fri Nov 17 08:44:12 GMT 2006

On Wednesday 15 November 2006 23:21, Jeremy Allison wrote:
> > Testing in Windows shows that (at least for Windows 2000) NTLM always
> > tries the NTLMSSP_NEGOTIATE_ALWAYS_SIGN flag. It is needed to do the
> > dummy signing RPC uses if NTLMSSP_NEGOTIATE_SIGN is not negotiated.
> >
> > This patch always enables that flag at first and handles switching it of
> > if the communication partner does not support it.
> Can you check Windows 2003 also. The changes I made to the
> flags in the ntlmssp code were designed to match w2k3.
> I'd like to know if this is correct.

I don't have a Windows 2003 box myself (for Wine, it's usually fine if tests 
run on one version of Windows ;) ), but I extended a test case I already had 
and asked some folks to run it on a win2k3 box for me.

Here's Hans Leidekker's results:

This is from a box running Windows Server 2003 Enterprise Edition,
Service Pack 1:

ntlm.c:311:Running setupClient
ntlm.c:608:No ISC flags set, NTLMSSP flags are 0xa2088207
ntlm.c:627:ISC_REQ_CONNECTION flag set, NTLMSSP flags are 0xa2088207
ntlm.c:646:ISC_REQ_EXTENDED_ERROR flag set, NTLMSSP flags are 0xa2088207
ntlm.c:665:ISC_REQ_MUTUAL_AUTH flag set, NTLMSSP flags are 0xa2088207
ntlm.c:684:ISC_REQ_USE_DCE_STYLE flag set, NTLMSSP flags are 0xa2088207
ntlm.c:703:ISC_REQ_DELEGATE flag set, NTLMSSP flags are 0xa2088207
ntlm.c:722:ISC_REQ_INTEGRITY flag set, NTLMSSP flags are 0xe2088297
ntlm.c:741:ISC_REQ_REPLAY_DETECT flag set, NTLMSSP flags are 0xe2088297
ntlm.c:760:ISC_REQ_SEQUENCE_DETECT flag set, NTLMSSP flags are 0xe2088297
ntlm.c:779:ISC_REQ_CONFIDENTIALITY flag set, NTLMSSP flags are 0xe20882b7

The ISC flags are a bitmask passed to the InitializeSecurityContext() function 
that creates the client side session handle.

If no flags are specified, the NTLMSSP flags set are
0x80000000  Negotiate 128
0x20000000  Negotiate 56
0x02000000  Unknown
0x00080000  Negotiate NTLM2 Key
0x00008000  Negotiate Always Sign
0x00000200  Negotiate NTLM
0x00000004  Request Target
0x00000002  Negotiate OEM
0x00000001  Negotiate Unicode

If ISC_REQ_INTEGRITY (i.e. signing) is requested from SSPI 
(ISC_REQ_REPLAY_DETECT and ISC_REQ_SEQUENCE_DETECT seem to do the same), then 
the following flags are added:
0x40000000  Negotiate Key Exchange
0x00000080  Negotiate Lan Manager Key
0x00000010  Negotiate Sign

If ISC_REQ_CONFIDENTIALITY (i.e. sealing) is requested from SSPI, it adds
0x00000020  Negotiate Seal

You will note that the second-least-significant byte always is 0x82, so it 
always asks for "Negotiate Always Sign".

Kai Blin, <kai Dot blin At gmail Dot com>
WorldForge developer    http://www.worldforge.org/
Wine developer          http://wiki.winehq.org/KaiBlin/
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20061117/0548f1df/attachment.bin

More information about the samba-technical mailing list