Samba 3.5.x and 3.6.x do not seem to support TREE_CONNECT_ANDX_EXTENDED_SIGNATURES ...
Ricky Nance
ricky.nance at weaubleau.k12.mo.us
Tue Jul 31 15:06:43 MDT 2012
I find your emails very informative, please don't stop replying to yourself.
On Tue, Jul 31, 2012 at 4:01 PM, Richard Sharpe <realrichardsharpe at gmail.com
> wrote:
> On Tue, Jul 31, 2012 at 11:07 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
> > On Tue, Jul 31, 2012 at 10:24 AM, Richard Sharpe
> > <realrichardsharpe at gmail.com> wrote:
> >> Hi folks,
> >>
> >> We have run into a situation where a customer's clients are requesting
> >> Session Key Protection via the above flag on a TREE_CONNECT_AND (see
> >> 3.2.4.2.5) of [MS-SMB].
> >>
> >> This seems to be designed to prevent applications running on the
> >> server from divulging the client's actual session keys, but I don't
> >> know which registry key/keys are used to enable this.
> >>
> >> Does anyone know how to switch this off on Windows.
> >
> > Following up, it seems quite straightforward to implement, since it
> > involves taking the signing key (already derived) and hashing it with
> > hmac_md5 using SSKeyHash as the hash and then replacing the signing
> > key with the hash.
> >
> > Looks like about ten lines of code plus the initialization of SSKeyHash.
> >
> > Still would be useful to know how to get Windows to request this.
> >
> > The result of not supporting this is that Windows puts up a dialog box
> > saying something like "The specified server cannot perform the
> > requested operation" and you cannot access the Samba server.
>
> I have to get out of the habit of replying to my own messages.
>
> This seems to be related to a change in the behavior of Win-7/W2K08
> with respect to the Local Security Policy->Local Policies->Security
> Options:
>
> Microsoft network client: Digitally sign communications (always)
>
> If you have it enabled (and have the other one, Digitally Sign
> communications (if server agrees enabled) then Win-7 and W2K8 does not
> like it if Samba does not implement Extended Signatures and resets the
> connection.
>
> W2K3 seemed to be happy to go on without the extended signatures.
>
> I will try to prototype the changes required for this and add them to
> a bug I will create.
>
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>
--
More information about the samba-technical
mailing list