Samba 3.5.x and 3.6.x do not seem to support TREE_CONNECT_ANDX_EXTENDED_SIGNATURES ...

Richard Sharpe realrichardsharpe at
Tue Jul 31 15:01:53 MDT 2012

On Tue, Jul 31, 2012 at 11:07 AM, Richard Sharpe
<realrichardsharpe at> wrote:
> On Tue, Jul 31, 2012 at 10:24 AM, Richard Sharpe
> <realrichardsharpe at> wrote:
>> Hi folks,
>> We have run into a situation where a customer's clients are requesting
>> Session Key Protection via the above flag on a TREE_CONNECT_AND (see
>> of [MS-SMB].
>> This seems to be designed to prevent applications running on the
>> server from divulging the client's actual session keys, but I don't
>> know which registry key/keys are used to enable this.
>> Does anyone know how to switch this off on Windows.
> Following up, it seems quite straightforward to implement, since it
> involves taking the signing key (already derived) and hashing it with
> hmac_md5 using SSKeyHash as the hash and then replacing the signing
> key with the hash.
> Looks like about ten lines of code plus the initialization of SSKeyHash.
> Still would be useful to know how to get Windows to request this.
> The result of not supporting this is that Windows puts up a dialog box
> saying something like "The specified server cannot perform the
> requested operation" and you cannot access the Samba server.

I have to get out of the habit of replying to my own messages.

This seems to be related to a change in the behavior of Win-7/W2K08
with respect to the Local Security Policy->Local Policies->Security

Microsoft network client: Digitally sign communications (always)

If you have it enabled (and have the other one, Digitally Sign
communications (if server agrees enabled) then Win-7 and W2K8 does not
like it if Samba does not implement Extended Signatures and resets the

W2K3 seemed to be happy to go on without the extended signatures.

I will try to prototype the changes required for this and add them to
a bug I will create.

Richard Sharpe

More information about the samba-technical mailing list