Re: SMB signing and 2ROT13

[Matthew Geddes]

Andrew Bartlett wrote:

> On Fri, 2006-12-08 at 11:52 -0800, Dave Daugherty wrote:
>  
>
> > I saw this problem when implementing SMB signing on a non Samba product
> > when working against a windows 2000 service pack 2.
> > The windows server negotiated signing, but in fact it did not sign the
> > last session setup and X response and just reflected back what I sent.
> > My workaround was to check if it was the sessionSetupAndX response
> > message and if it reflected back my last signature.
> >
> > In this case I continued to sign my packets, but stopped checking the
> > signatures from the windows 2000 server.
> >    
>
> Hmm, this is an interesting case.  We are a little more optimistic than
> windows in signing the session setup requests.  Windows will start
> signing on the server with the last session setup reply, but sends only
> "BSRSPYL " as the signature on all requests.  The last session setup
> reply should contain a valid signature, unless signing is turned off by
> policy.  
>
> As a rule, when signing is not required by policy, the windows server
> simply echos back the client values.
>  

I'm sure I've seen it echo back the client signature when mandatory 
signing is set on both the Samba client host and the Windows 2003 server 
host. We saw this problem a few months back and set client signing to 
mandatory (which matched the policy on the DC), which did make the 
problem go away until yesterday (for a short time).

I don't have control over the DC machine and it is possible that someone 
else is messing about with the machine at the same time.

If the policy doesn't require signing, but it's allowed and has been 
negotiated, would the Window box still echo the client signatures?

thx,
Matt