Kerberos 5 and NTLMv2 without SPNEGO?

Michael B Allen ioplex at
Wed Jul 2 13:57:16 GMT 2008

On 7/2/08, Luke Howard <lukeh at> wrote:
> > I was able to get raw NTLMSSP w/ NTLMv2 and raw Kerberos 5 working.
> > Hopefully it will work reliably with all the major servers.
> >
>  That's a fair concern, given that a lot of server implementations were
> built from packet traces or incomplete documentation. NetApp, for example,
> do not support big-endian PACs (and neither does Samba unless that has been
> fixed recently).
> > But I was not able to get NTLMv2 SMB signatures working. From looking
> > at Samba's libsmb code the UserSessionKey calculation described in
> > Eric Glass' NTLM doc is completely different. I'm getting the feeling
> > that SMB just uses it's own rules (as usual).
> >
>  You might take a look at the MS docs too. From memory the first 16 bytes of
> the Kerberos session key are used.

Yeah, Kerberos was easy. The problem is NTLMv2 SMB signatures. From
looking at a log level 10 of smbclient it looks like it generates the
user_session_key in the if (ntlmssp_state->neg_flags &
libsmb/ntlmssp.c:ntlmssp_client_challenge. I did look at [MS-NLMP]
briefly but it wasn't obvious to me what corresponded to that code. I
got sidetracked with client vs. server subkeys and such but it doesn't
look like SMB uses those keys (which makes sense now because it would
require very different signing behavior). I get the feeling the NTLM
docs are talking about generic NTLMSSP integrity and conf whereas SMB
does something a little different.

Whatever. I'm sure I can make it work. It's just something that
requires a lot of fiddling.


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the samba-technical mailing list