[Samba] NTLMv1 v. NTLMv2 ; more than one "identity" on a TCP
abartlet at samba.org
Tue Dec 31 09:37:01 GMT 2002
On Tue, 2002-12-31 at 15:21, Joey Collins wrote:
> Two questions for you this evening.
> How do you tell the difference between NTLMv1-style authentication and
> NTLMv2 style? The CIFS dialect NT LM 0.12 does both(?), so does not
> appear in the NegProtRequest message (nor in the flags, near as I could
> tell). Do you ascertain this by examining the SessionSetupAndX
> message? If so, what parts?
It's really lame - you look at the length of the NT response :-) > 24
> Is it possible to have more than one CIFS "identity" on a TCP
> connection? For example, say I open a TCP connection, authenticate
> myself using NegProt/SessionSetupAndX/etc exchanges as user "foo"
> password "bar", can I also establish another identity (i.e., do another
> SessionSetupAndX exchange?) say, "hello" password "world" on the _same_
> TCP connection?
Yes, but doing a second session setup. It is done often, particularly
on Win2k Terminal Servers, where that new connection can access the
shares already opened by a previous connection! (But with the new
vuid's access rights).
> This seems to be enforced on the client-side because if
> you try to connect to a share on a computer using a different identity,
> it complains saying already connected. But, nothing comes over the
> wire, so it is purely a client-internal decision.
Yep - just to do with Windows internal password caching.
> In the world of NTLM,
> would the same EncryptionKey be used to respond to the challenge?
> Exchanging another set of NegProt's is not allowed according to the SNIA
Correct. Or use 'extended security' in which case you might be able to
do another NLTMSSP exchange, and get a different challenge.
> thanks so much, happy new year, and here's to wishing for a peaceful
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20021231/4d159b75/attachment.bin
More information about the samba