[Patch] Always start with the NTLMSSP_NEGOTIATE_ALWAYS_SIGN
flag enabled
Volker Lendecke
Volker.Lendecke at SerNet.DE
Wed Nov 22 11:03:32 GMT 2006
On Wed, Nov 22, 2006 at 10:56:17AM +0100, Kai Blin wrote:
> > Ok, just saw that XP->W2k3 does this even for CIFS
> > connections. So this is a +0.9 from me :-)
>
> Win2k3 doesn't set it then? Does Win2k3 set NTLMSSP_NEGOTIATE_SIGN all the
> time instead?
Ok, in the XP->W2k3 connection both directions set it,
likewise for W2k3->XP.
> > For the stupid Volker, can you explain a bit more what you
> > mean with "dummy signing RPC uses"? What is this exactly?
>
> If SSPI is not instructed to enable message integrity and confidentiality,
> NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL are not negotiated.
>
> While a sane person would expect the calls to MakeSignature and
> VerifySignature as well as EncryptMessage and DecryptMessage to fail, SSPI
> will happily run them and succeed anyway. In this case, the signature will be
> set to 0x01000000000000000000000000000000. According to [1], this will only
> be done if NTLMSSP_NEGOTIATE_ALWAYS_SIGN is negotiated, which always happens
> on all the boxes I checked on. RPC seems to always sign packets sent. If no
> real signing is requested from RPC, it uses the dummy signing.
>
> Cheers,
> Kai
>
> [1] http://davenport.sourceforge.net/ntlm.html#appendixC6
Not having looked at our DCE/RPC code. Do we do this dummy
signing? If yes, then this would be a +1 from me.
Can you point me at the Samba3 code line that does it?
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20061122/e94519a1/attachment.bin
More information about the samba-technical
mailing list