[linux-cifs-client] Linux CIFS NTLMSSP mount failing against win2k8

Andrew Bartlett abartlet at samba.org
Thu Jul 1 19:11:47 MDT 2010 

On Thu, 2010-07-01 at 12:22 -0500, Shirish Pargaonkar wrote:
> On Mon, Jun 28, 2010 at 6:25 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> > On Mon, 2010-06-28 at 17:47 -0500, Shirish Pargaonkar wrote:
> >
> >> When I look at Windows - Windows smb2 traces, the (16 bytes) signature
> >> looks nothing like
> >> version (which is 1), ciphertext of 8 bytes of hmac-md5, sequence number
> >
> > SMB2 SMB Signing does not use the NTLMSSP packet signing algorithm.
> > Instead, like SMB, it takes the session key already calculated and
> > applies a unique-to-SMB2 algorithm to it.  This involves sha256 I
> > think.
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett                                http://samba.org/~abartlet/
> > Authentication Developer, Samba Team           http://samba.org
> > Samba Developer, Cisco Inc.
> >
> 
> 
> I have had luck with some kernel crypto apis while working on this code.
> I have been able to use arc4 and md5 hash apis successfully while
> not being able to figure out hmac-md5 apis and I had not even
> looked at sha, which I will.
> 
> What is confusing to me is, current cifs code using ntlmv2 within
> ntlmssp authenticates and signs against Windows 2003 server
> successfully/
> 
> But it does not against Windows 7 and Windows 2008 (I do not have
> a Windows Vista installation). I am currently changing to code and
> I am sure I would be able to authenticate using ntlmv2 within ntlmssp.
> singing is what is confusing.
> 
> With smb2 client also, I can authenticate against Windows 7 and
> Windows 2008 but signing fails.
> 
> So I am confused about what algorithm to use for cifs to sign
> against Windows 7 and Windows 2008 server for ntlmv2 within ntlmssp
> and what algorithm to use for smb2 to sign against a Windows 7
> and Windows 2008 server for ntlmv2 within ntlmssp.
> 
> I have been reading and following MS-NLMP and
> http://davenport.sourceforge.net/ntlm.html

The trick here is only to follow these up to the point at which the
master key is generated, not the signing or sealing keys.  The master
key (16 bytes) is the input the special SMB and SMB2 signing algorithms.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100702/98415dd7/attachment.pgp>

More information about the samba-technical mailing list