[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Using GSSAPI to Authenticate SMB Connections

To: heimdal-discuss@sics.se
Subject: Using GSSAPI to Authenticate SMB Connections
From: Michael B Allen <mba2000@ioplex.com>
Date: Sat, 4 Mar 2006 22:13:32 -0500
Sender: owner-heimdal-discuss@sics.se

I just mangaged to get mechglue-branch GSSAPI to authenticate an SMB
connection (with signatures) against a W2K3 KDC. It appears that there
are only three changes that deviate from standard GSSAPI behavior to
make it work.

1) The checksum in the AP_REQ in the mechToken is MD5 and not
0x8003. From reading one of the docs/standardisation documents
(draft-ietf-krb-wg-gssapi-cfx-00.txt I think) I believe it suggested
that alternate algorithms and checksums might be determined based on
previous communication. But I'm rather bad at crypto speak so for all
I know the MD5 checksum is simply what you get when you're using MS
and not explicitly using GSSPI.

2) The mechListMIC field in the initial negTokenInit of the
SMB_COM_NEGOTIATE response contains the name of the client wrt the
server (e.g. "myname$"). Andrew Bartlet claims this value is ignored
by MS clients and should continue to be for security reasons but for
completeness I suspect it should be provided. The mechglue-branch already
accomidates this requirement.

3) The initial negTokenInit in the SMB_COM_NEGOTIATE response does not
contain an optimistic mechToken.

I guess I'm just sending this to the list for the benifit of the next
guy. For now I suppose I'll just use custom req_flags or something but
if anyone has suggestions for implementing these changes in a "proper"
way, I'm all ears.

Thanks,
Mike

Prev by Date: Subject: $B!Z=EMW![3NG'2<$5$$$^$;(B
Next by Date: Current Heimdal CVS doesn't compile
Prev by thread: Subject: $B!Z=EMW![3NG'2<$5$$$^$;(B
Next by thread: Current Heimdal CVS doesn't compile
Index(es):
- Date
- Thread