[Samba] NTLMv1 v. NTLMv2 ; more than one "identity" on a TCPconnection

Joey Collins joeycollins at charter.net
Thu Jan 2 01:54:01 GMT 2003 

Thank you Andrew (and others) for your insight on this.  

Happy new year all, 

peace and thanks, 

Joey.


Andrew Bartlett wrote:
> 
> On Tue, 2002-12-31 at 15:21, Joey Collins wrote:
> > Hello,
> > Two questions for you this evening.
> >
> > How do you tell the difference between NTLMv1-style authentication and
> > NTLMv2 style?  The CIFS dialect NT LM 0.12 does both(?), so does not
> > appear in the NegProtRequest message (nor in the flags, near as I could
> > tell).  Do you ascertain this by examining the SessionSetupAndX
> > message?  If so, what parts?
> 
> It's really lame - you look at the length of the NT response :-)  > 24
> means NTLMv2
> 
> > Is it possible to have more than one CIFS "identity" on a TCP
> > connection?  For example, say I open a TCP connection, authenticate
> > myself using NegProt/SessionSetupAndX/etc exchanges as user "foo"
> > password "bar", can I also establish another identity (i.e., do another
> > SessionSetupAndX exchange?) say, "hello" password "world" on the _same_
> > TCP connection?
> 
> Yes, but doing a second session setup.  It is done often, particularly
> on Win2k Terminal Servers, where that new connection can access the
> shares already opened by a previous connection!  (But with the new
> vuid's access rights).
> 
> > This seems to be enforced on the client-side because if
> > you try to connect to a share on a computer using a different identity,
> > it complains saying already connected.  But, nothing comes over the
> > wire, so it is purely a client-internal decision.
> 
> Yep - just to do with Windows internal password caching.
> 
> > In the world of NTLM,
> > would the same EncryptionKey be used to respond to the challenge?
> > Exchanging another set of NegProt's is not allowed according to the SNIA
> > spec.
> 
> Correct.  Or use 'extended security' in which case you might be able to
> do another NLTMSSP exchange, and get a different challenge.
> 
> > thanks so much, happy new year, and here's to wishing for a peaceful
> > 2003.
> 
> Indeed,
> 
> Andrew Bartlett
> 
> --
> Andrew Bartlett                                 abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> Student Network Administrator, Hawker College   abartlet at hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net
> 
>   ------------------------------------------------------------------------
>                        Name: signature.asc
>    signature.asc       Type: application/pgp-signature
>                 Description: This is a digitally signed message part

More information about the samba mailing list