3.0.1rcX breaks authentication
Gerald (Jerry) Carter
jerry at samba.org
Thu Dec 11 15:50:00 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Beschorner Daniel wrote:
| Outlook 2000 clients can't authenticate against the samba 3.0.0rc2 domain
| controlled Exchange server, rollback to pre3 and it works again.
| Some kind of authentication change in rc???
| I will try to get a log.
The most likely candidiate for breakage would be:
(please send me the level 10 log. Thanks. --jerry)
2003-11-22 07:19 abartlet
~ * source/: auth/auth.c (1.32.2.25), auth/auth_ntlmssp.c (1.4.2.6),
~ auth/auth_sam.c (1.36.2.25), auth/auth_util.c (1.39.2.49),
~ include/auth.h (1.14.2.7), include/client.h (1.46.2.14),
~ include/includes.h (1.262.2.55), include/ntdomain.h (1.79.2.9),
~ include/ntlmssp.h (1.2.2.10), include/smb.h (1.424.2.57),
~ lib/data_blob.c (1.2.2.4), libads/kerberos_verify.c (1.1.2.30),
~ libsmb/cliconnect.c (1.71.2.46), libsmb/clientgen.c (1.190.2.23),
~ libsmb/clikrb5.c (1.15.2.28), libsmb/clispnego.c (1.11.2.12),
~ libsmb/ntlmssp.c (1.4.2.24), libsmb/ntlmssp_parse.c (1.3.2.6),
~ libsmb/ntlmssp_sign.c (1.1.2.8), libsmb/smb_signing.c (1.4.2.39),
~ libsmb/smbencrypt.c (1.68.2.13), nsswitch/winbindd_cm.c
~ (1.31.2.44), nsswitch/winbindd_pam.c (1.44.2.30),
~ rpc_client/cli_netlogon.c (1.69.2.14), rpc_client/cli_pipe.c
~ (1.79.2.40), rpc_client/cli_samr.c (1.68.2.14),
~ rpc_parse/parse_net.c (1.85.2.18), rpc_parse/parse_samr.c
~ (1.143.2.22), rpc_server/srv_netlog_nt.c (1.57.2.20),
~ rpc_server/srv_pipe.c (1.93.2.26), rpc_server/srv_pipe_hnd.c
~ (1.77.2.9), rpc_server/srv_samr_nt.c (1.86.2.51), smbd/password.c
~ (1.248.2.18), smbd/sesssetup.c (1.50.2.39), utils/ntlm_auth.c
~ (1.6.2.33): Changes all over the shop, but all towards: - NTLM2
~ support in the server - KEY_EXCH support in the server -
~ variable length session keys.
~ In detail:
~ - NTLM2 is an extension of NTLMv1, that is compatible with
~ existing domain controllers (unlike NTLMv2, which requires
~ a DC upgrade).
~ * This is known as 'NTLMv2 session security' *
~ (This is not yet implemented on the RPC pipes however, so there
~ may well still be issues for PDC setups, particuarly around
~ password changes. We do not fully understand the sign/seal
~ implications of NTLM2 on RPC pipes.)
~ This requires modifications to our authentication subsystem, as
~ we must handle the 'challege' input into the challenge-response
~ algorithm being changed. This also needs to be turned off for
~ 'security=server', which does not support this.
~ - KEY_EXCH is another 'security' mechanism, whereby the session
~ key actually used by the server is sent by the client, rather
~ than being the shared-secret directly or indirectly.
~ - As both these methods change the session key, the auth
~ subsystem needed to be changed, to 'override' session keys
~ provided by the backend.
~ - There has also been a major overhaul of the NTLMSSP subsystem,
~ to merge the 'client' and 'server' functions, so they both
~ operate on a single structure. This should help the SPNEGO
~ implementation.
~ - The 'names blob' in NTLMSSP is always in unicode - never in
~ ascii. Don't make an ascii version ever.
~ - The other big change is to allow variable length session keys.
~ We have always assumed that session keys are 16 bytes long - and
~ padded to this length if shorter. However, Kerberos session keys
~ are 8 bytes long, when the krb5 login uses DES.
~ * This fix allows SMB signging on machines not yet running MIT
~ KRB5 1.3.1. *
~ - Add better DEBUG() messages to ntlm_auth, warning
~ administrators of misconfigurations that prevent access to the
~ privileged pipe. This should help reduce some of the 'it just
~ doesn't work' issues.
~ - Fix data_blob_talloc() to behave the same way data_blob() does
~ when passed a NULL data pointer. (just allocate)
~ REMEMBER to make clean after this commit - I have changed plenty
~ of data structures...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/2JIoIR7qMdg1EfYRAvJCAKCRcqHzUdJd483Szx6oTTp9XhQefACfZVB/
9rrgDcSy//g5A/84cUPHUpQ=
=eXJJ
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list