[Samba] SMB signing

Andrew Bartlett abartlet at samba.org
Thu Dec 23 10:33:32 GMT 2004

On Thu, 2004-12-23 at 19:46, Torbjorn Tornkvist wrote:
> Andrew Bartlett wrote:
> >On Wed, 2004-12-22 at 22:04, Tobbe wrote:
> >  
> >
> >>Hi,
> >>
> >>I wonder if it is possible to setup Samba (client or server)
> >>to use SMB signing (without NTLMv2, NTLMSSP etc).
> >>
> >>I've been trying to do this by setting 'Digital Signing' as a 
> >>requirement on my Windows 2000/2003 servers. With Samba 2.x,
> >>SMB signing seem to not be supported, with Samba 3.x I get this
> >>NTLMSSP stuff.
> >>    
> >>
> >
> >And what is wrong with that?
> >  
> >
> It's nothing wrong with that.
> I just wanted to study how SMB signing is done and the NTLMSSP stuff
> confuses me. 

Then simply turn it off.  'use spnego = no' on the server and 'client
use spnego = no' for the client.

> The reason for my question was that, by looking into the
> CIFS-SNIA tech.ref,  it seems that SMB signing should work with just
> NT/LM (v1 ?) authentication.
> Another question: Does anyone know if the MAC-key (used for
> the signing) is the same as the NT/LM-session key ?

It is.  See the Samba4 code for a bit more detail, there are a few
things that are not quite as you might expect, mostly regarding the 'NT
response' that should form part of the calculation.

Andrew Bartlett

Andrew Bartlett                                 abartlet at samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20041223/8a7f3a4f/attachment.bin

More information about the samba mailing list