Kerberos 5 and NTLMv2 without SPNEGO?

Michael B Allen ioplex at gmail.com
Wed Jul 2 01:44:26 GMT 2008


On 7/1/08, Luke Howard <lukeh at padl.com> wrote:
>
>  On 02/07/2008, at 1:49 AM, Gerald (Jerry) Carter wrote:
>
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Michael B Allen wrote:
> >
> > > Dear Cousin,
> > >
> > > Does anyone know if it's ok to do Kerberos 5 and / or NTLMSSP without
> > > SPNEGO for SMB_COM_SESSION_SETUP_ANDX?
> > >
> > > I'm 95% sure the answer is "yes" but it would be nice if someone gave
> > > me assuring pat on the head.
> > >
> >
> > Pretty sure.  Been a while since I looked but I think this is how
> > Steve previously did NTLMSSP in the cifs fs.
> >
>
>
>  I think Windows still does raw NTLMSSP too... never seen raw Kerberos
> though, but SSPI is sufficiently well layered that I would expect it to
> work.

I was able to get raw NTLMSSP w/ NTLMv2 and raw Kerberos 5 working.
Hopefully it will work reliably with all the major servers.

But I was not able to get NTLMv2 SMB signatures working. From looking
at Samba's libsmb code the UserSessionKey calculation described in
Eric Glass' NTLM doc is completely different. I'm getting the feeling
that SMB just uses it's own rules (as usual).

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/


More information about the samba-technical mailing list