[Patch] Always start with the NTLMSSP_NEGOTIATE_ALWAYS_SIGN flag enabled

Volker Lendecke Volker.Lendecke at SerNet.DE
Wed Nov 22 11:03:32 GMT 2006

On Wed, Nov 22, 2006 at 10:56:17AM +0100, Kai Blin wrote:
> > Ok, just saw that XP->W2k3 does this even for CIFS
> > connections. So this is a +0.9 from me :-)
> Win2k3 doesn't set it then? Does Win2k3 set NTLMSSP_NEGOTIATE_SIGN all the 
> time instead?

Ok, in the XP->W2k3 connection both directions set it,
likewise for W2k3->XP.

> > For the stupid Volker, can you explain a bit more what you
> > mean with "dummy signing RPC uses"? What is this exactly?
> If SSPI is not instructed to enable message integrity and confidentiality, 
> While a sane person would expect the calls to MakeSignature and 
> VerifySignature as well as EncryptMessage and DecryptMessage to fail, SSPI 
> will happily run them and succeed anyway. In this case, the signature will be 
> set to 0x01000000000000000000000000000000. According to [1], this will only 
> be done if NTLMSSP_NEGOTIATE_ALWAYS_SIGN is negotiated, which always happens 
> on all the boxes I checked on. RPC seems to always sign packets sent. If no 
> real signing is requested from RPC, it uses the dummy signing.
> Cheers,
> Kai
> [1] http://davenport.sourceforge.net/ntlm.html#appendixC6

Not having looked at our DCE/RPC code. Do we do this dummy
signing? If yes, then this would be a +1 from me.

Can you point me at the Samba3 code line that does it?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20061122/e94519a1/attachment.bin

More information about the samba-technical mailing list