samba - Dec 2002 - NTLMv1 v. NTLMv2 ; more than one "identity" on a TCP connection

Hello,
Two questions for you this evening.  

How do you tell the difference between NTLMv1-style authentication and
NTLMv2 style?  The CIFS dialect NT LM 0.12 does both(?), so does not
appear in the NegProtRequest message (nor in the flags, near as I could
tell).  Do you ascertain this by examining the SessionSetupAndX
message?  If so, what parts?

Is it possible to have more than one CIFS "identity" on a TCP
connection?  For example, say I open a TCP connection, authenticate
myself using NegProt/SessionSetupAndX/etc exchanges as user "foo"
password "bar", can I also establish another identity (i.e., do
another
SessionSetupAndX exchange?) say, "hello" password "world" on
the _same_
TCP connection?  This seems to be enforced on the client-side because if
you try to connect to a share on a computer using a different identity,
it complains saying already connected.  But, nothing comes over the
wire, so it is purely a client-internal decision.  In the world of NTLM,
would the same EncryptionKey be used to respond to the challenge? 
Exchanging another set of NegProt's is not allowed according to the SNIA
spec.

thanks so much, happy new year, and here's to wishing for a peaceful
2003.

Regards,

Joey.

On Tue, 2002-12-31 at 15:21, Joey Collins wrote:
> Hello,
> Two questions for you this evening.  
> 
> How do you tell the difference between NTLMv1-style authentication and
> NTLMv2 style?  The CIFS dialect NT LM 0.12 does both(?), so does not
> appear in the NegProtRequest message (nor in the flags, near as I could
> tell).  Do you ascertain this by examining the SessionSetupAndX
> message?  If so, what parts?
It's really lame - you look at the length of the NT response :-)  > 24
means NTLMv2
> Is it possible to have more than one CIFS "identity" on a TCP
> connection?  For example, say I open a TCP connection, authenticate
> myself using NegProt/SessionSetupAndX/etc exchanges as user "foo"
> password "bar", can I also establish another identity (i.e., do
another
> SessionSetupAndX exchange?) say, "hello" password
"world" on the _same_
> TCP connection?  
Yes, but doing a second session setup.  It is done often, particularly
on Win2k Terminal Servers, where that new connection can access the
shares already opened by a previous connection!  (But with the new
vuid's access rights).
> This seems to be enforced on the client-side because if
> you try to connect to a share on a computer using a different identity,
> it complains saying already connected.  But, nothing comes over the
> wire, so it is purely a client-internal decision.  
Yep - just to do with Windows internal password caching.
> In the world of NTLM,
> would the same EncryptionKey be used to respond to the challenge? 
> Exchanging another set of NegProt's is not allowed according to the
SNIA
> spec.
Correct.  Or use 'extended security' in which case you might be able to
do another NLTMSSP exchange, and get a different challenge.
> thanks so much, happy new year, and here's to wishing for a peaceful
> 2003.
Indeed,

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20021231/4d159b75/attachment.bin

On Tue, 2002-12-31 at 05:21, Joey Collins wrote:
> Hello,
> Two questions for you this evening.  
> 
> How do you tell the difference between NTLMv1-style authentication and
> NTLMv2 style?  The CIFS dialect NT LM 0.12 does both(?), so does not
> appear in the NegProtRequest message (nor in the flags, near as I could
> tell).  Do you ascertain this by examining the SessionSetupAndX
> message?  If so, what parts?
I let andrew answer NTLM related questions :)
> Is it possible to have more than one CIFS "identity" on a TCP
> connection?  For example, say I open a TCP connection, authenticate
> myself using NegProt/SessionSetupAndX/etc exchanges as user "foo"
> password "bar", can I also establish another identity (i.e., do
another
> SessionSetupAndX exchange?) say, "hello" password
"world" on the _same_
> TCP connection?
Yes it is possible, and it is what terminal servers do by default.
> This seems to be enforced on the client-side because if
> you try to connect to a share on a computer using a different identity,
> it complains saying already connected. But, nothing comes over the
> wire, so it is purely a client-internal decision.
This is a really stupid client issue.
In my opinion a password caching issue in that it seem a win client
associate a password with a machine name. I tried successfully to
connect to the same machine with 2 identities using netbios name in
first connection and ip number on the second (not sure it works on all
MS OSs).

Simo.

-- 
Simo Sorce    -  idra@samba.org
Samba Team    -  http://www.samba.org
Italian Site  -  http://samba.xsec.it