[prev in list] [next in list] [prev in thread] [next in thread] List: cifs-protocol Subject: [cifs-protocol] RE: 600169 - RE: DCE/RPC PFC_SUPPORT_HEADER_SIGN From: Andrew Bartlett <abartlet () samba ! org> Date: 2008-08-20 1:20:56 Message-ID: 1219195256.3754.36.camel () naomi ! s4 ! naomi ! abartlet ! net [Download RAW message or body] --=-zSA1FxdETANWmAbnvkcc Content-Type: multipart/mixed; boundary="=-J1zngNYQ84+1/TBT6s/E" On Mon, 2008-08-11 at 08:41 -0700, Richard Guthrie wrote: > Andrew, > Can you send a capture that exhibits the behavior you describe with NTLMv2 as well \ > as clarify your comments about behavior you have seen in the past? Basically I \ > need as much information as you can provide on the behavior you have experienced to \ > help understand the problem. This would help to isolate the behavior you are \ > seeing and complete additional analysis as required. Attached is a trace of running RPC-DSSYNC against Win2k8. You can't tell without pulling the crypto apart (password is penguin12#) but the header is signed. I think this relates to the last paragraph of MS-NLMP 3.4.6: For NTLMv1, input data buffers for which sign==TRUE are included in the message signature. For NTLMv2, all input data buffers are included in the message signature (section 3.4.6.1). If we got an answer to metze's question about mapping of the DCE/RPC level to EncryptMessage calls, this might describe the behaviours here. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. ["ntlmv2-header-signing-subset.cap" (ntlmv2-header-signing-subset.cap)] �ò� �� qn�HuG J J >3"4 �� E <�a@ @4�z�z\�e �N ��e� � �*/ qn�H�H <