svn commit: samba r21903 - in branches/SAMBA_3_0/source/libsmb: .

Andrew Bartlett abartlet at samba.org
Mon Mar 26 03:21:30 GMT 2007 

On Tue, 2007-03-20 at 21:34 -0700, Jeremy Allison wrote:
> On Wed, Mar 21, 2007 at 03:27:17PM +1100, Luke Howard wrote:
> > 
> > I'd love to see/review the spec.
> 
> I'll definately include you.
> 
> > Are you going to
> > keep the SMB signature even if you use GSS
> > encryption? This could be a cheap way to get AEAD
> > (integrity protecting the entire PDU whilst only
> > encrypting the payload).
> 
> I wasn't planning to. In fact the current code
> turns off the SMB signature once you've got
> the transport encryption on. Current SMB
> signatures have lots of problems as they're
> mid-based, so the current server encryption
> code (the NTLM base) insists on sign+seal
> (the same way it's done on RPC packets)
> and will drop the connection if you try
> and NTLMSSP negotiate anything less than
> sign+seal at the transport layer.
> 
> Currently the signature is done over the
> <len>0xFF SMB header + entire packet, whereas the
> encryption is only done on the part of
> the payload following the <len>0xFF SMB
> header.

That sounds almost sane...

I presume this is strictly one NTLM packet per SMB request?

Given this much is being encrypted, I would have preferred the way SASL
does things, which is <len><<sig><blob>>, where <sig><blob> is defined
by the encryption mech.  (And encrypted packets may or may not line up
with underlying packets).

But I hope to work with you to get Samba4 compatible with this, it
shouldn't be hard at all.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070326/83a40eeb/attachment.bin

More information about the samba-technical mailing list