[PATCH] s4 libcli: fix NTLMv2 without spnego
Christian M Ambach
christian.ambach at de.ibm.com
Thu Apr 7 06:48:36 MDT 2011
"Stefan (metze) Metzmacher" <metze at samba.org> wrote on 03/16/2011 02:20:51
PM:
> >> It seems that there're a lot of callers of
NTLMv2_generate_names_blob(),
> >> are you sure the behavior change is correct for all of them?
> >
> > You're right, I forgot to do that.
> > I'll go through all callers and test out if they still work.
> > In case they do, I'll also eliminate the then unused hostname argument
to
> > NTLMv2_generate_names_blob().
>
> Wouldn't it make sense to just handle hostname == NULL?
After some more research and investigation, I made the decision to go
along
the path you have proposed.
During my research, I have tested with multiple Windows and Samba domain
members
against various versions of domain controllers and found that domain
controllers are likely to reject NTLMv2 blobs during non-NTMLSSP
authentication
if the blob contains a FQDN or IP address as MsvAvNbComputerName in the
blob.
I do not understand the exact conditions under which the DC will reject
the
blob, there seem to be differences between Samba and Windows computer
accounts.
For Samba machine accounts, it will reject it when using an IP address,
while it does not for Windows boxes. Using an invalid name will always
lead
to a negative reply to the NetrLogonSamLogonEx call.
So for now, I decided to simply add some checks and if we are attempting
to open a connection with a name that is potentially not a valid netbios
name, just leave away that part of the blob.
I attached some patches with necessary changes, please provide feedback on
them.
Maybe util_net is not the right place to place the check function in.
With the patches, I am now able to run the base.samba3error and raw.
samba3badpath
testcases against a Samba domain member using either IP addresses or FQDN
as
connection target.
Cheers,
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-libcli-do-not-announce-NT-error-code-support-when.patch
Type: application/octet-stream
Size: 1027 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110407/f40f77f4/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-lib-util-fix-formatting.patch
Type: application/octet-stream
Size: 4259 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110407/f40f77f4/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-lib-util-add-is_valid_netbiosname.patch
Type: application/octet-stream
Size: 1733 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110407/f40f77f4/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-s4-rpc_server-use-is_valid_netbiosname.patch
Type: application/octet-stream
Size: 1535 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110407/f40f77f4/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-libcli-allow-exclusion-of-netbios-name-in-NTLMV2-blo.patch
Type: application/octet-stream
Size: 1243 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110407/f40f77f4/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0006-s4-libcli-only-use-netbios-name-in-ntlmv2-if-it-seem.patch
Type: application/octet-stream
Size: 3206 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110407/f40f77f4/attachment-0005.obj>
More information about the samba-technical
mailing list