Samba 3.5.x and 3.6.x do not seem to support TREE_CONNECT_ANDX_EXTENDED_SIGNATURES ...

Richard Sharpe realrichardsharpe at
Tue Jul 31 12:07:03 MDT 2012

On Tue, Jul 31, 2012 at 10:24 AM, Richard Sharpe
<realrichardsharpe at> wrote:
> Hi folks,
> We have run into a situation where a customer's clients are requesting
> Session Key Protection via the above flag on a TREE_CONNECT_AND (see
> of [MS-SMB].
> This seems to be designed to prevent applications running on the
> server from divulging the client's actual session keys, but I don't
> know which registry key/keys are used to enable this.
> Does anyone know how to switch this off on Windows.

Following up, it seems quite straightforward to implement, since it
involves taking the signing key (already derived) and hashing it with
hmac_md5 using SSKeyHash as the hash and then replacing the signing
key with the hash.

Looks like about ten lines of code plus the initialization of SSKeyHash.

Still would be useful to know how to get Windows to request this.

The result of not supporting this is that Windows puts up a dialog box
saying something like "The specified server cannot perform the
requested operation" and you cannot access the Samba server.

Richard Sharpe

More information about the samba-technical mailing list