Linux CIFS NTLMSSP mount failing against win2k8
Andrew Bartlett
abartlet at samba.org
Tue Jun 29 17:25:10 MDT 2010
On Sat, 2010-04-10 at 23:09 -0500, Shirish Pargaonkar wrote:
> On Sat, Apr 10, 2010 at 5:17 PM, Jeff Layton <jlayton at samba.org> wrote:
> > I've been playing with NTLMSSP today in CIFS, and have run across a
> > problem. The Session Setup using Raw NTLMSSP succeeds, but then afterward
> > the tree connect fails with STATUS_ACCESS_DENIED. The odd thing is that
> > if authenticate as the same user using krb5, then it works fine.
> > smbclient does SPNEGO encapsulated NTLMSSP and the tree connect it does
> > works fine as well.
> >
> > Attached is a capture that shows two "mount attempts". The first one
> > fails (that the Linux CIFS one). The second succeeds -- that's the
> > Linux CIFS one.
> >
> > The code I'm using is slightly modified so that the tree connect is
> > closer to identical to what smbclient does. That doesn't get around the
> > problem though. I assume that there must be something wrong with the
> > session setup, but since it succeeds it seems like it ought to work...
> >
> > Does anyone have any clue as to what the problem is? Or does anyone
> > know how to make win2k8 tell me why it's refusing the tree connect? The
> > event viewer seems to be pretty useless for this, but maybe I'm just
> > not looking in the right place?
> >
> > --
> > Jeff Layton <jlayton at samba.org>
> >
>
> Jeff,
>
> You can see if this code change,
> cifs_MD5_update(&context, (char *)&key->data, 16);
> insetead of
> cifs_MD5_update(&context, (char *)&key->data, key->len);
> in function cifs_calculate_signature() works.
If I had some context, I would be able to advise if this is correct. If
this is the application of the 'session key' to the SMB singing (the MD5
with the actual packet), then this is important, but only for Kerberos,
not NTLMSSP, which for all versions returns a 16 byte key.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100630/fd8e4428/attachment.pgp>
More information about the samba-technical
mailing list