[linux-cifs-client] Linux CIFS NTLMSSP mount failing against win2k8

Jeff Layton jlayton at samba.org
Sun Apr 11 17:40:08 MDT 2010


On Sun, 11 Apr 2010 14:42:37 -0500
Shirish Pargaonkar <shirishpargaonkar at gmail.com> wrote:

> On Sun, Apr 11, 2010 at 5:41 AM, Jeff Layton <jlayton at samba.org> wrote:
> > On Sat, 10 Apr 2010 23:09:01 -0500
> > Shirish Pargaonkar <shirishpargaonkar at gmail.com> wrote:
> >
> >> On Sat, Apr 10, 2010 at 5:17 PM, Jeff Layton <jlayton at samba.org> wrote:
> >> > I've been playing with NTLMSSP today in CIFS, and have run across a
> >> > problem. The Session Setup using Raw NTLMSSP succeeds, but then afterward
> >> > the tree connect fails with STATUS_ACCESS_DENIED. The odd thing is that
> >> > if authenticate as the same user using krb5, then it works fine.
> >> > smbclient does SPNEGO encapsulated NTLMSSP and the tree connect it does
> >> > works fine as well.
> >> >
> >> > Attached is a capture that shows two "mount attempts". The first one
> >> > fails (that the Linux CIFS one). The second succeeds -- that's the
> >> > Linux CIFS one.
> >> >
> >> > The code I'm using is slightly modified so that the tree connect is
> >> > closer to identical to what smbclient does. That doesn't get around the
> >> > problem though. I assume that there must be something wrong with the
> >> > session setup, but since it succeeds it seems like it ought to work...
> >> >
> >> > Does anyone have any clue as to what the problem is? Or does anyone
> >> > know how to make win2k8 tell me why it's refusing the tree connect? The
> >> > event viewer seems to be pretty useless for this, but maybe I'm just
> >> > not looking in the right place?
> >> >
> >> > --
> >> > Jeff Layton <jlayton at samba.org>
> >> >
> >>
> >> Jeff,
> >>
> >> You can see if this code change,
> >>   cifs_MD5_update(&context, (char *)&key->data, 16);
> >> insetead of
> >>  cifs_MD5_update(&context, (char *)&key->data, key->len);
> >> in function cifs_calculate_signature() works.
> >>
> >
> > Thanks. With Steve's help last night, I figured out that the problem is
> > with the signing key. When I stopped the server from requiring signing,
> > then I can mount. So what seems to be happening is that the NTLMSSP
> > session setup works, but when we go to sign the first packet (the tree
> > connect), the server rejects it.
> >
> > It looks like this code is still just stubs and the session key is just
> > zeroed out regardless of whether signing is done:
> >
> > -----------------[snip]---------------
> >        sec_blob->SessionKey.BufferOffset = cpu_to_le32(tmp - pbuffer);
> >        sec_blob->SessionKey.Length = 0;
> >        sec_blob->SessionKey.MaximumLength = 0;
> > -----------------[snip]---------------
> 
> I think this is the signature for ntlmv2 authentication
>  hmac_md5_final(ses->server->mac_signing_key.data.ntlmv2.key, &context);
> and this is the signature for ntlm authentication
>  memcpy(key->data.ntlm+16, rn, CIFS_SESS_KEY_SIZE);
> to be filled in session key in ntlmssp security blob
> 

I don't think that's right. CIFS_SESS_KEY_SIZE is 24 bytes. According
to the MS-NLMP document, the session key should be 16 bytes. The
signing key is different with NTLMSSP than with "raw" NTLM and NTLMv2.

-- 
Jeff Layton <jlayton at samba.org>


More information about the samba-technical mailing list