[Samba] How does SMB 3.0 encryption work?

mathias dufresne infractory at gmail.com
Thu Aug 24 09:14:19 UTC 2017


A bit late, I was in vacations, but thank you a lot for this detailed
explanation Andrew.



2017-08-18 22:04 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:

> On Fri, 2017-08-18 at 14:57 +0200, mathias dufresne wrote:
> > Hi,
> >
> > This question is interesting and laeds me to another one:
> > As KDC send a ticket to the client when trying to authenticate
> > (something which should decrypted using user's password), is it
> > possible to brute force this initial ticket locally?
> Yes.  You can also brute force the ticket given to the server, if the
> server has a weak password (we hope not).
> FAST is a Kerberos extension designed to avoid that, by first
> authenticating the workstation to the KDC, and then using a tunnel
> crated with that stronger password for your user ticket exchange.
> Samba's Heimdal doesn't support that (modern versions do), but MIT does
> and this is part of the motivation for a move to MIT Kerberos.
> Thanks,
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba

More information about the samba mailing list