3.0.1rcX breaks authentication

Gerald (Jerry) Carter jerry at samba.org
Thu Dec 11 15:50:00 GMT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Beschorner Daniel wrote:
| Outlook 2000 clients can't authenticate against the samba 3.0.0rc2 domain
| controlled Exchange server, rollback to pre3 and it works again.
| Some kind of authentication change in rc???
| I will try to get a log.

The most likely candidiate for breakage would be:

(please send me the level 10 log.  Thanks.  --jerry)



2003-11-22 07:19  abartlet

~  * source/: auth/auth.c (1.32.2.25), auth/auth_ntlmssp.c (1.4.2.6),
~  auth/auth_sam.c (1.36.2.25), auth/auth_util.c (1.39.2.49),
~  include/auth.h (1.14.2.7), include/client.h (1.46.2.14),
~  include/includes.h (1.262.2.55), include/ntdomain.h (1.79.2.9),
~  include/ntlmssp.h (1.2.2.10), include/smb.h (1.424.2.57),
~  lib/data_blob.c (1.2.2.4), libads/kerberos_verify.c (1.1.2.30),
~  libsmb/cliconnect.c (1.71.2.46), libsmb/clientgen.c (1.190.2.23),
~  libsmb/clikrb5.c (1.15.2.28), libsmb/clispnego.c (1.11.2.12),
~  libsmb/ntlmssp.c (1.4.2.24), libsmb/ntlmssp_parse.c (1.3.2.6),
~  libsmb/ntlmssp_sign.c (1.1.2.8), libsmb/smb_signing.c (1.4.2.39),
~  libsmb/smbencrypt.c (1.68.2.13), nsswitch/winbindd_cm.c
~  (1.31.2.44), nsswitch/winbindd_pam.c (1.44.2.30),
~  rpc_client/cli_netlogon.c (1.69.2.14), rpc_client/cli_pipe.c
~  (1.79.2.40), rpc_client/cli_samr.c (1.68.2.14),
~  rpc_parse/parse_net.c (1.85.2.18), rpc_parse/parse_samr.c
~  (1.143.2.22), rpc_server/srv_netlog_nt.c (1.57.2.20),
~  rpc_server/srv_pipe.c (1.93.2.26), rpc_server/srv_pipe_hnd.c
~  (1.77.2.9), rpc_server/srv_samr_nt.c (1.86.2.51), smbd/password.c
~  (1.248.2.18), smbd/sesssetup.c (1.50.2.39), utils/ntlm_auth.c
~  (1.6.2.33): Changes all over the shop, but all towards:  - NTLM2
~  support in the server  - KEY_EXCH support in the server  -
~  variable length session keys.

~  In detail:

~  - NTLM2 is an extension of NTLMv1, that is compatible with
~  existing domain controllers (unlike NTLMv2, which requires
~  a DC upgrade).

~  * This is known as 'NTLMv2 session security' *

~  (This is not yet implemented on the RPC pipes however, so there
~  may well still be issues for PDC setups, particuarly around
~  password changes.  We do not fully understand the sign/seal
~  implications of NTLM2 on RPC pipes.)

~  This requires modifications to our authentication subsystem, as
~  we must handle the 'challege' input into the challenge-response
~  algorithm being changed.  This also needs to be turned off for
~  'security=server', which does not support this.

~  - KEY_EXCH is another 'security' mechanism, whereby the session
~  key actually used by the server is sent by the client, rather
~  than being the shared-secret directly or indirectly.

~  - As both these methods change the session key, the auth
~  subsystem needed to be changed, to 'override' session keys
~  provided by the backend.

~  - There has also been a major overhaul of the NTLMSSP subsystem,
~  to merge the 'client' and 'server' functions, so they both
~  operate on a single structure.  This should help the SPNEGO
~  implementation.

~  - The 'names blob' in NTLMSSP is always in unicode - never in
~  ascii.  Don't make an ascii version ever.
~  - The other big change is to allow variable length session keys.
~  We have always assumed that session keys are 16 bytes long - and
~  padded to this length if shorter.  However, Kerberos session keys
~  are 8 bytes long, when the krb5 login uses DES.

~  * This fix allows SMB signging on machines not yet running MIT
~  KRB5 1.3.1. *

~  - Add better DEBUG() messages to ntlm_auth, warning
~  administrators of misconfigurations that prevent access to the
~  privileged pipe.  This should help reduce some of the 'it just
~  doesn't work' issues.

~  - Fix data_blob_talloc() to behave the same way data_blob() does
~  when passed a NULL data pointer.  (just allocate)

~  REMEMBER to make clean after this commit - I have changed plenty
~  of data structures...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/2JIoIR7qMdg1EfYRAvJCAKCRcqHzUdJd483Szx6oTTp9XhQefACfZVB/
9rrgDcSy//g5A/84cUPHUpQ=
=eXJJ
-----END PGP SIGNATURE-----



More information about the samba-technical mailing list