[linux-cifs-client] Linux CIFS NTLMSSP mount failing against win2k8

Steve French smfrench at gmail.com
Sat Apr 17 07:50:17 MDT 2010


On Sat, Apr 17, 2010 at 5:29 AM, Jeff Layton <jlayton at samba.org> wrote:
> On Sat, 17 Apr 2010 15:58:23 +1000
> Andrew Bartlett <abartlet at samba.org> wrote:
>
>> On Fri, 2010-04-16 at 22:44 -0400, Jeff Layton wrote:
>> >
>> > - then I read the spec more carefully. The problem is that the existing
>> >   code doesn't try to use NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>> >   (aka NTLM2 -- not to be confused with NTLMv2).
>> >
>> > Without that, the server expects signatures done using rc4, but cifs
>> > universally uses md5 signatures.
>>
>> This isn't the case.  SMB signing is always MD5.  NTLM2 simply changes
>> the 'effective' challenge and the session key, by providing a value in
>> the 'LM hash' to include with the Negotiate-provided challenge.
>>
>
> Interesting. That seems to be contradictory to what the MS-NLMP
> document says. If you have a look at section 3.4.4.1, you'll see that
> the algorithm for computing the signature does not use md5. However if
> you negotiate extended session security (aka NTLM2) or use NTLMv2, then
> you're supposed to use md5. Perhaps we should bring that up on the
> dochelp list?

Yes.

> In any case, I think the right solution is just to have CIFS always use
> extended session security and NTLMv2.

This is a good idea - I had been planning to rip the NTLM code
out of SMB2 (simplifies things, and SMB2 is only NTLMSSP or krb5/SPNEGO)
and this will probably make the code more consistent if we don't do
NTLM in NTLMSSP for cifs as well (although plenty of cifs servers don't
support NTLMv2 we probably would never have to use NTLMSSP to them)



-- 
Thanks,

Steve


More information about the samba-technical mailing list