[Samba] NTLMv1 v. NTLMv2 ; more than one "identity" on a TCP connection

Andrew Bartlett abartlet at samba.org
Tue Dec 31 09:37:01 GMT 2002

On Tue, 2002-12-31 at 15:21, Joey Collins wrote:
> Hello,
> Two questions for you this evening.  
> How do you tell the difference between NTLMv1-style authentication and
> NTLMv2 style?  The CIFS dialect NT LM 0.12 does both(?), so does not
> appear in the NegProtRequest message (nor in the flags, near as I could
> tell).  Do you ascertain this by examining the SessionSetupAndX
> message?  If so, what parts?

It's really lame - you look at the length of the NT response :-)  > 24
means NTLMv2

> Is it possible to have more than one CIFS "identity" on a TCP
> connection?  For example, say I open a TCP connection, authenticate
> myself using NegProt/SessionSetupAndX/etc exchanges as user "foo"
> password "bar", can I also establish another identity (i.e., do another
> SessionSetupAndX exchange?) say, "hello" password "world" on the _same_
> TCP connection?  

Yes, but doing a second session setup.  It is done often, particularly
on Win2k Terminal Servers, where that new connection can access the
shares already opened by a previous connection!  (But with the new
vuid's access rights).

> This seems to be enforced on the client-side because if
> you try to connect to a share on a computer using a different identity,
> it complains saying already connected.  But, nothing comes over the
> wire, so it is purely a client-internal decision.  

Yep - just to do with Windows internal password caching.

> In the world of NTLM,
> would the same EncryptionKey be used to respond to the challenge? 
> Exchanging another set of NegProt's is not allowed according to the SNIA
> spec.

Correct.  Or use 'extended security' in which case you might be able to
do another NLTMSSP exchange, and get a different challenge.

> thanks so much, happy new year, and here's to wishing for a peaceful
> 2003.


Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20021231/4d159b75/attachment.bin

More information about the samba mailing list