[linux-cifs-client] NTLM Response in the LM field...
Christopher R. Hertel
crh at ubiqx.mn.org
Wed Dec 29 03:30:40 GMT 2004
Regarding an earlier topic...
Regarding the use of the NTLM response in place of the LM Response when
the client has been instructed to *not* send the LM Response, I found this
comment in my own book:
Level 2
NTLM Authentication
The LM Response is not sent by the client. Instead, the NTLM Response
is sent in both password fields. Replacing the LM Response with the
NTLM Response facilitates pass-through authentication. Servers need
only hand the 24-byte contents of the
SESSION_SETUP_ANDX.CaseInsensitivePassword field along to the Domain
Controller.
I remember testing this now. When
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LMCompatibilityLevel
is set to '2', you'd *expect* that the first password field (the LM or
CaseInsensitivePassword field) would be blank.
...but it's not.
Instead, when LM authentication is disabled in favor of NTLM
authentication, the NTLM response is placed in *both* fields... at least
it was on the Windows systems I tested.
So... It's probably not wrong for Samba to ignore the second password
field (the NTLM or CaseSensitivePassword field) when in SECURITY=SERVER
mode. It's also safest if the client includes the NTLM response in both
fields as Windows does.
Just trying to put a final silver nail into that particular coffin.
Chris -)-----
--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the linux-cifs-client
mailing list