Samba 3.5.x and 3.6.x do not seem to support TREE_CONNECT_ANDX_EXTENDED_SIGNATURES ...

[Richard Sharpe]

On Tue, Jul 31, 2012 at 10:24 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> Hi folks,
>
> We have run into a situation where a customer's clients are requesting
> Session Key Protection via the above flag on a TREE_CONNECT_AND (see
> 3.2.4.2.5) of [MS-SMB].
>
> This seems to be designed to prevent applications running on the
> server from divulging the client's actual session keys, but I don't
> know which registry key/keys are used to enable this.
>
> Does anyone know how to switch this off on Windows.

Following up, it seems quite straightforward to implement, since it
involves taking the signing key (already derived) and hashing it with
hmac_md5 using SSKeyHash as the hash and then replacing the signing
key with the hash.

Looks like about ten lines of code plus the initialization of SSKeyHash.

Still would be useful to know how to get Windows to request this.

The result of not supporting this is that Windows puts up a dialog box
saying something like "The specified server cannot perform the
requested operation" and you cannot access the Samba server.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)