[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Using GSSAPI to Authenticate SMB Connections
I just mangaged to get mechglue-branch GSSAPI to authenticate an SMB
connection (with signatures) against a W2K3 KDC. It appears that there
are only three changes that deviate from standard GSSAPI behavior to
make it work.
1) The checksum in the AP_REQ in the mechToken is MD5 and not
0x8003. From reading one of the docs/standardisation documents
(draft-ietf-krb-wg-gssapi-cfx-00.txt I think) I believe it suggested
that alternate algorithms and checksums might be determined based on
previous communication. But I'm rather bad at crypto speak so for all
I know the MD5 checksum is simply what you get when you're using MS
and not explicitly using GSSPI.
2) The mechListMIC field in the initial negTokenInit of the
SMB_COM_NEGOTIATE response contains the name of the client wrt the
server (e.g. "myname$"). Andrew Bartlet claims this value is ignored
by MS clients and should continue to be for security reasons but for
completeness I suspect it should be provided. The mechglue-branch already
accomidates this requirement.
3) The initial negTokenInit in the SMB_COM_NEGOTIATE response does not
contain an optimistic mechToken.
I guess I'm just sending this to the list for the benifit of the next
guy. For now I suppose I'll just use custom req_flags or something but
if anyone has suggestions for implementing these changes in a "proper"
way, I'm all ears.