3.0.1rcX breaks authentication
Gerald (Jerry) Carter
jerry at samba.org
Thu Dec 11 15:50:00 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Beschorner Daniel wrote:
| Outlook 2000 clients can't authenticate against the samba 3.0.0rc2 domain
| controlled Exchange server, rollback to pre3 and it works again.
| Some kind of authentication change in rc???
| I will try to get a log.
The most likely candidiate for breakage would be:
(please send me the level 10 log. Thanks. --jerry)
2003-11-22 07:19 abartlet
~ * source/: auth/auth.c (126.96.36.199), auth/auth_ntlmssp.c (188.8.131.52),
~ auth/auth_sam.c (184.108.40.206), auth/auth_util.c (220.127.116.11),
~ include/auth.h (18.104.22.168), include/client.h (22.214.171.124),
~ include/includes.h (1.262.2.55), include/ntdomain.h (126.96.36.199),
~ include/ntlmssp.h (188.8.131.52), include/smb.h (1.424.2.57),
~ lib/data_blob.c (184.108.40.206), libads/kerberos_verify.c (220.127.116.11),
~ libsmb/cliconnect.c (18.104.22.168), libsmb/clientgen.c (22.214.171.124),
~ libsmb/clikrb5.c (126.96.36.199), libsmb/clispnego.c (188.8.131.52),
~ libsmb/ntlmssp.c (184.108.40.206), libsmb/ntlmssp_parse.c (220.127.116.11),
~ libsmb/ntlmssp_sign.c (18.104.22.168), libsmb/smb_signing.c (22.214.171.124),
~ libsmb/smbencrypt.c (126.96.36.199), nsswitch/winbindd_cm.c
~ (188.8.131.52), nsswitch/winbindd_pam.c (184.108.40.206),
~ rpc_client/cli_netlogon.c (220.127.116.11), rpc_client/cli_pipe.c
~ (18.104.22.168), rpc_client/cli_samr.c (22.214.171.124),
~ rpc_parse/parse_net.c (126.96.36.199), rpc_parse/parse_samr.c
~ (188.8.131.52), rpc_server/srv_netlog_nt.c (184.108.40.206),
~ rpc_server/srv_pipe.c (220.127.116.11), rpc_server/srv_pipe_hnd.c
~ (18.104.22.168), rpc_server/srv_samr_nt.c (22.214.171.124), smbd/password.c
~ (126.96.36.199), smbd/sesssetup.c (188.8.131.52), utils/ntlm_auth.c
~ (184.108.40.206): Changes all over the shop, but all towards: - NTLM2
~ support in the server - KEY_EXCH support in the server -
~ variable length session keys.
~ In detail:
~ - NTLM2 is an extension of NTLMv1, that is compatible with
~ existing domain controllers (unlike NTLMv2, which requires
~ a DC upgrade).
~ * This is known as 'NTLMv2 session security' *
~ (This is not yet implemented on the RPC pipes however, so there
~ may well still be issues for PDC setups, particuarly around
~ password changes. We do not fully understand the sign/seal
~ implications of NTLM2 on RPC pipes.)
~ This requires modifications to our authentication subsystem, as
~ we must handle the 'challege' input into the challenge-response
~ algorithm being changed. This also needs to be turned off for
~ 'security=server', which does not support this.
~ - KEY_EXCH is another 'security' mechanism, whereby the session
~ key actually used by the server is sent by the client, rather
~ than being the shared-secret directly or indirectly.
~ - As both these methods change the session key, the auth
~ subsystem needed to be changed, to 'override' session keys
~ provided by the backend.
~ - There has also been a major overhaul of the NTLMSSP subsystem,
~ to merge the 'client' and 'server' functions, so they both
~ operate on a single structure. This should help the SPNEGO
~ - The 'names blob' in NTLMSSP is always in unicode - never in
~ ascii. Don't make an ascii version ever.
~ - The other big change is to allow variable length session keys.
~ We have always assumed that session keys are 16 bytes long - and
~ padded to this length if shorter. However, Kerberos session keys
~ are 8 bytes long, when the krb5 login uses DES.
~ * This fix allows SMB signging on machines not yet running MIT
~ KRB5 1.3.1. *
~ - Add better DEBUG() messages to ntlm_auth, warning
~ administrators of misconfigurations that prevent access to the
~ privileged pipe. This should help reduce some of the 'it just
~ doesn't work' issues.
~ - Fix data_blob_talloc() to behave the same way data_blob() does
~ when passed a NULL data pointer. (just allocate)
~ REMEMBER to make clean after this commit - I have changed plenty
~ of data structures...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical