Samba 3.5.x and 3.6.x do not seem to support TREE_CONNECT_ANDX_EXTENDED_SIGNATURES ...

[Richard Sharpe]

On Tue, Jul 31, 2012 at 11:07 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Tue, Jul 31, 2012 at 10:24 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>> Hi folks,
>>
>> We have run into a situation where a customer's clients are requesting
>> Session Key Protection via the above flag on a TREE_CONNECT_AND (see
>> 3.2.4.2.5) of [MS-SMB].
>>
>> This seems to be designed to prevent applications running on the
>> server from divulging the client's actual session keys, but I don't
>> know which registry key/keys are used to enable this.
>>
>> Does anyone know how to switch this off on Windows.
>
> Following up, it seems quite straightforward to implement, since it
> involves taking the signing key (already derived) and hashing it with
> hmac_md5 using SSKeyHash as the hash and then replacing the signing
> key with the hash.
>
> Looks like about ten lines of code plus the initialization of SSKeyHash.
>
> Still would be useful to know how to get Windows to request this.
>
> The result of not supporting this is that Windows puts up a dialog box
> saying something like "The specified server cannot perform the
> requested operation" and you cannot access the Samba server.

I have to get out of the habit of replying to my own messages.

This seems to be related to a change in the behavior of Win-7/W2K08
with respect to the Local Security Policy->Local Policies->Security
Options:

Microsoft network client: Digitally sign communications (always)

If you have it enabled (and have the other one, Digitally Sign
communications (if server agrees enabled) then Win-7 and W2K8 does not
like it if Samba does not implement Extended Signatures and resets the
connection.

W2K3 seemed to be happy to go on without the extended signatures.

I will try to prototype the changes required for this and add them to
a bug I will create.


-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)