FW: [Samba] NTLMv2 in Samba 3.0

Andrew Bartlett abartlet at samba.org
Fri Nov 7 00:05:27 GMT 2003 

On Fri, 2003-11-07 at 07:19, Jeremy Allison wrote:
> On Thu, Nov 06, 2003 at 07:20:30PM +0000, Andrew Bartlett wrote:
> > On Thu, Nov 06, 2003 at 07:06:58PM +0000, Jeremy Allison wrote:
> > > On Thu, Nov 06, 2003 at 01:29:08PM +0100, Stefan Metzmacher wrote:
> > > > 
> > > > This is because we doesn't support NTLM2 Session Response.with value '1'
> > > > http://davenport.sourceforge.net/ntlm.html#theNtlm2SessionResponse
> > > 
> > > Ok, can you explain this a little more please ? It'd be nice
> > > to get this fixed for 3.0.1.
> > 
> > The code in libsmb/ntlmssp.c:ntlmssp_client_challenge() needs to be
> > translated for server-side use in ntlmssp_server_auth().  Note that we
> > are probably going to need to add some fancy logic, if you want
> > 'security=server' to still work, as you will need to change the
> > 'challenge' being submitted to the auth backend.
> 
> Arrgggh. Andrew, I hate you. My brain now *REALLY HURTS*
> trying to understand this horror :-).
> 
> Am I correct in thinking that this is when the client is
> using ntlmv2 auth, we correctly can use ntlm2 session
> security, but when the client is not using ntlmv2, we
> don't correctly handle the ntlm2 session security (which
> is valid in the spec) ?
> 
> I feel ill now :-).

As a server, we do not support the 'NTLM2' NTLMSSP flag.  

We accept NTLMv2 passwords, which are sent by the client, without
negotiation.  

To accept the NTLM2 flag (which is almost unrelated) on the server (and
the consequent improvement in negotiated security) we need to implement
the known algorithms.  Implementing these algorithms will break
'security=server', and as such, this improved security must be disabled
for that configuration, or a better man-in-the-middle attack performed.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20031107/dce09513/attachment.bin

More information about the samba-technical mailing list