[linux-cifs-client] Linux CIFS NTLMSSP mount failing against win2k8

Shirish Pargaonkar shirishpargaonkar at gmail.com
Sun Apr 11 13:42:37 MDT 2010

On Sun, Apr 11, 2010 at 5:41 AM, Jeff Layton <jlayton at samba.org> wrote:
> On Sat, 10 Apr 2010 23:09:01 -0500
> Shirish Pargaonkar <shirishpargaonkar at gmail.com> wrote:
>> On Sat, Apr 10, 2010 at 5:17 PM, Jeff Layton <jlayton at samba.org> wrote:
>> > I've been playing with NTLMSSP today in CIFS, and have run across a
>> > problem. The Session Setup using Raw NTLMSSP succeeds, but then afterward
>> > the tree connect fails with STATUS_ACCESS_DENIED. The odd thing is that
>> > if authenticate as the same user using krb5, then it works fine.
>> > smbclient does SPNEGO encapsulated NTLMSSP and the tree connect it does
>> > works fine as well.
>> >
>> > Attached is a capture that shows two "mount attempts". The first one
>> > fails (that the Linux CIFS one). The second succeeds -- that's the
>> > Linux CIFS one.
>> >
>> > The code I'm using is slightly modified so that the tree connect is
>> > closer to identical to what smbclient does. That doesn't get around the
>> > problem though. I assume that there must be something wrong with the
>> > session setup, but since it succeeds it seems like it ought to work...
>> >
>> > Does anyone have any clue as to what the problem is? Or does anyone
>> > know how to make win2k8 tell me why it's refusing the tree connect? The
>> > event viewer seems to be pretty useless for this, but maybe I'm just
>> > not looking in the right place?
>> >
>> > --
>> > Jeff Layton <jlayton at samba.org>
>> >
>> Jeff,
>> You can see if this code change,
>>   cifs_MD5_update(&context, (char *)&key->data, 16);
>> insetead of
>>  cifs_MD5_update(&context, (char *)&key->data, key->len);
>> in function cifs_calculate_signature() works.
> Thanks. With Steve's help last night, I figured out that the problem is
> with the signing key. When I stopped the server from requiring signing,
> then I can mount. So what seems to be happening is that the NTLMSSP
> session setup works, but when we go to sign the first packet (the tree
> connect), the server rejects it.
> It looks like this code is still just stubs and the session key is just
> zeroed out regardless of whether signing is done:
> -----------------[snip]---------------
>        sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
>        sec_blob->SessionKey.Length = 0;
>        sec_blob->SessionKey.MaximumLength = 0;
> -----------------[snip]---------------

I think this is the signature for ntlmv2 authentication
 hmac_md5_final(ses->server->mac_signing_key.data.ntlmv2.key, &context);
and this is the signature for ntlm authentication
 memcpy(key->data.ntlm+16, rn, CIFS_SESS_KEY_SIZE);
to be filled in session key in ntlmssp security blob

> ...samba 3.4 however seems to be fine with this, even when I request
> signing so there may be a samba bug related to this as well.
> I think we need to put a key in that field and may need to alter the
> flags (i.e. add the key exchange flag, etc). It's not 100% clear to me
> what exactly needs to go in that field though, and what flags we need
> to have set at each stage. I'll note that the negotiation flags that
> smbclient uses are very different from what we're sending. smbclient
> also sends a 16 byte key as the session key.
> --
> Jeff Layton <jlayton at samba.org>

More information about the samba-technical mailing list