Win 95 Problems
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Wed Jul 7 17:33:22 GMT 1999
On Wed, 7 Jul 1999, Michael Stockman wrote:
> The reason for the problems with samba, current HEAD, and W95 is due
> to an error in smbd/password.c. In function smb_password_ok() there is
> a piece of code:
> if (lp_server_ntlmv2() == False)
> return False;
yep, i know. i changed this to what is outlined below. i added this check
yesterday as someone told me that they were using LANMAN1 with "server
ntlmv2 = true", which is a definite configuration error.
> The NT MD4 password check is done before this and the LM MD4 password
> check is performed after this.
> What this code does is that if your samba is not configured as a ntlm2
> server (this is the default), LM MD4 passwords will not be checked.
> Since these are what W95 sends, it breaks. This should probably be
> removed or changed either to:
> if (lp_server_ntlmv2() == True)
> /* something related to the negotiated protocol, */
> /* I don't know enough about this to write a patch */
> /* if this is the case */
> This would allow older systems than ntlm2 to continue to use LM MD4
> passwords and (possibly, if the code is kept) prevent them in newer
> What I am unclear about is whether ntlm2 is actually a protocol level
> negotiated between the client and the server or something that we
> either are or aren't and everyone else will have to adjust to (which
> they won't?). Looking at the code today the latter seems to be the
> case, but I believe we will have huge integration issues between newer
> and older software if that is our path (so I hope I'm just
> misunderstanding something).
you're misunderstanding something.
ok, i was a little concerned about telling people about ntlmv2 (crypto
issues). but actually, as it uses one-way hashes (a modified version of
hmac_md5, rfc2104.txt) there _are_ no crypto issues [if it used des or
rc4 (two-way, reversible systems) then that would be a different matter].
ntlmv2 is microsoft's latest, more secure authentication mechanism. as it
used hmac_md5 twice, where md5 is 16 times more computationally expensive
than md4, it is more time consuming to brute-force. the client and server
also mutually validate each other with this system. the server-side
implementation in samba does not do any client validation, although i may
implement this at a later date [check the contents of the client
challenge]. this includes time validation, where the client and server
must be synchronised within a certain range (ms uses +/- 30 minutes).
the default behaviour is currently exactly the same as old versions of
samba: ntlmv2 is disabled by default in all client-side and server-side
code (rpcclient, smbclient, "security = domain", smbd).
MS KB article Q147706:
this article describes in detail how insecure LM#es are, and points you to
URLs where current information and statistics on DES cracking can be
obtained. it outlines how to enable ntlmv2 and why this should be done.
* enable ntlmv2 in nt clients by setting LmCompatibilityLevel registry
setting to 0x1 (equivalent to client ntlmv2 = auto), or 0x3 if you wish to
refuse to talk to down-level servers (equivalent to client ntlmv2 = true).
* enable ntlmv2 in nt servers by setting LmCompatibilityLevel registry
setting to 0x4 (equivalent to server ntlmv2 = auto), or 0x5 if you wish to
refuse to talk to down-level clients (equivalent to server ntlmv2 = true).
does this help?
<a href="mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton </a>
<a href="http://www.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://samba.org" > Samba Web site </a>
<a href="http://www.iss.net" > Internet Security Systems, Inc. </a>
More information about the samba-technical