Kerberos 5 and NTLMv2 without SPNEGO?

Luke Howard lukeh at
Wed Jul 2 07:22:11 GMT 2008

> I was able to get raw NTLMSSP w/ NTLMv2 and raw Kerberos 5 working.
> Hopefully it will work reliably with all the major servers.

That's a fair concern, given that a lot of server implementations were  
built from packet traces or incomplete documentation. NetApp, for  
example, do not support big-endian PACs (and neither does Samba unless  
that has been fixed recently).

> But I was not able to get NTLMv2 SMB signatures working. From looking
> at Samba's libsmb code the UserSessionKey calculation described in
> Eric Glass' NTLM doc is completely different. I'm getting the feeling
> that SMB just uses it's own rules (as usual).

You might take a look at the MS docs too. From memory the first 16  
bytes of the Kerberos session key are used.

-- Luke

More information about the samba-technical mailing list