|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Display Modes |
Web Development Archives Sponsor:
|
|
|
|
#1
July 1st, 2008, 08:31 PM
|
|||
|
|||
|
Kerberos 5 and NTLMv2 without SPNEGO?
02/07/2008, at 1:49 AM, Gerald (Jerry) Carter wrote:
PGP SIGNED MESSAGE Hash: SHA1 > Michael B Allen wrote: >Dear Cousin, >> >Does anyone know if it's ok to do Kerberos 5 and / or NTLMSSP without >SPNEG for SMB_CM_SESSIN_SETUP_ANDX? >> >I'm 95% sure the answer is "yes" but it would be nice if someone gave >me assuring pat on the head. > Pretty sure. Been a while since I looked but I think this is how Steve previously did NTLMSSP in the cifs fs. I think Windows still does raw NTLMSSP too never seen raw Kerberos though, but SSPI is sufficiently well layered that I would expect it to work. -- Luke
|
|
#2
July 2nd, 2008, 06:32 AM
|
|||
|
|||
|
Kerberos 5 and NTLMv2 without SPNEGO?
02/07/2008, at 5:53 PM, Stefan (metze) Metzmacher wrote:
Luke Howard schrieb: I was able to get raw NTLMSSP w/ NTLMv2 and raw Kerberos 5 working. Hopefully it will work reliably with all the major servers. >> >That's a fair concern, given that a lot of server implementations >were >built from packet traces or incomplete documentation. NetApp, for >example, do not support big-endian PACs (and neither does Samba >unless >that has been fixed recently). > when was that fixed in samba? I don't think we support big-endian PACs in samba4 and I didn't see a related commit in samba3. > What server will ever create a big-endian PAC? None shipping today. XAD did on PWER and S/390. We did have customers on PWER. -- Luke
|
|
#3
July 2nd, 2008, 06:32 AM
|
|||
|
|||
|
Kerberos 5 and NTLMv2 without SPNEGO?
I was able to get raw NTLMSSP w/ NTLMv2 and raw Kerberos 5 working.
Hopefully it will work reliably with all the major servers. That's a fair concern, given that a lot of server implementations were built from packet traces or incomplete documentation. NetApp, for example, do not support big-endian PACs (and neither does Samba unless that has been fixed recently). But I was not able to get NTLMv2 SMB signatures working. From looking at Samba's libsmb code the UserSessionKey calculation described in Eric Glass' NTLM doc is completely different. I'm getting the feeling that SMB just uses it's own rules (as usual). You might take a look at the MS docs too. From memory the first 16 bytes of the Kerberos session key are used. -- Luke
|
|
| Viewing: Web Development Archives > Mailing Lists > Samba > Kerberos 5 and NTLMv2 without SPNEGO? |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
