From: Andrew Bartlett <abartlet@samba.org>
To: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Cc: smfrench@gmail.com, samba-technical@lists.samba.org,
linux-cifs@vger.kernel.org
Subject: Re: [linux-cifs-client] Linux CIFS NTLMSSP mount failing against win2k8
Date: Fri, 02 Jul 2010 11:11:47 +1000 [thread overview]
Message-ID: <1278033107.2358.23.camel@ruth> (raw)
In-Reply-To: <AANLkTil7d6jny1qklx16KtopjjwpCPAw6jECBxmnCfKF@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2383 bytes --]
On Thu, 2010-07-01 at 12:22 -0500, Shirish Pargaonkar wrote:
> On Mon, Jun 28, 2010 at 6:25 PM, Andrew Bartlett <abartlet@samba.org> wrote:
> > On Mon, 2010-06-28 at 17:47 -0500, Shirish Pargaonkar wrote:
> >
> >> When I look at Windows - Windows smb2 traces, the (16 bytes) signature
> >> looks nothing like
> >> version (which is 1), ciphertext of 8 bytes of hmac-md5, sequence number
> >
> > SMB2 SMB Signing does not use the NTLMSSP packet signing algorithm.
> > Instead, like SMB, it takes the session key already calculated and
> > applies a unique-to-SMB2 algorithm to it. This involves sha256 I
> > think.
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartlett http://samba.org/~abartlet/
> > Authentication Developer, Samba Team http://samba.org
> > Samba Developer, Cisco Inc.
> >
>
>
> I have had luck with some kernel crypto apis while working on this code.
> I have been able to use arc4 and md5 hash apis successfully while
> not being able to figure out hmac-md5 apis and I had not even
> looked at sha, which I will.
>
> What is confusing to me is, current cifs code using ntlmv2 within
> ntlmssp authenticates and signs against Windows 2003 server
> successfully/
>
> But it does not against Windows 7 and Windows 2008 (I do not have
> a Windows Vista installation). I am currently changing to code and
> I am sure I would be able to authenticate using ntlmv2 within ntlmssp.
> singing is what is confusing.
>
> With smb2 client also, I can authenticate against Windows 7 and
> Windows 2008 but signing fails.
>
> So I am confused about what algorithm to use for cifs to sign
> against Windows 7 and Windows 2008 server for ntlmv2 within ntlmssp
> and what algorithm to use for smb2 to sign against a Windows 7
> and Windows 2008 server for ntlmv2 within ntlmssp.
>
> I have been reading and following MS-NLMP and
> http://davenport.sourceforge.net/ntlm.html
The trick here is only to follow these up to the point at which the
master key is generated, not the signing or sealing keys. The master
key (16 bytes) is the input the special SMB and SMB2 signing algorithms.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 190 bytes --]
prev parent reply other threads:[~2010-07-02 1:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20100410181730.7fa0af32@tlielax.poochiereds.net>
[not found] ` <j2n4a4634331004102109k49cfb3f0gdaafcd712a972c01@mail.gmail.com>
[not found] ` <1277853910.2423.5.camel@ruth>
2010-06-30 11:55 ` Linux CIFS NTLMSSP mount failing against win2k8 Jeff Layton
2010-06-30 16:00 ` Steve French
[not found] ` <20100411064103.3ec408a1@tlielax.poochiereds.net>
[not found] ` <m2u4a4634331004111242u2954f28fh4bd703922c9aa534@mail.gmail.com>
[not found] ` <20100411194008.77aad10c@corrin.poochiereds.net>
[not found] ` <1271199692.2518.19.camel@naomi.s4.naomi.abartlet.net>
[not found] ` <20100414082944.3fc80df9@tlielax.poochiereds.net>
[not found] ` <20100414113453.6a523b21@tlielax.poochiereds.net>
[not found] ` <20100416224413.60b4566a@tlielax.poochiereds.net>
[not found] ` <1271483903.28751.4.camel@naomi.s4.naomi.abartlet.net>
[not found] ` <20100417062900.75e94f36@tlielax.poochiereds.net>
[not found] ` <n2m4a4634331004210729u77f95ed6m329464437b5c3eeb@mail.gmail.com>
[not found] ` <20100421161950.20fb979a@tlielax.poochiereds.net>
[not found] ` <AANLkTime8fdm-Wbu2PT1rXw0edjzE1-4pTVJpHWcYUd0@mail.gmail.com>
[not found] ` <1277767520.2276.41.camel@ruth>
2010-07-01 17:22 ` [linux-cifs-client] " Shirish Pargaonkar
2010-07-02 1:11 ` Andrew Bartlett [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1278033107.2358.23.camel@ruth \
--to=abartlet@samba.org \
--cc=linux-cifs@vger.kernel.org \
--cc=samba-technical@lists.samba.org \
--cc=shirishpargaonkar@gmail.com \
--cc=smfrench@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).