[PATCH] Implement NTLM2 and key exchange in Samba's client

Andrew Bartlett abartlet at samba.org
Sat Sep 6 14:50:27 GMT 2003


On Sun, 2003-09-07 at 00:37, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 6 Sep 2003, Andrew Bartlett wrote:
> 
> > Therefore this patch also *disables* the use of NTLMv2 by default.
> > 
> > My hope is that this will fix bug
> > https://bugzilla.samba.org/show_bug.cgi?id=359
> 
> All I care about at this point is that we use NTLMv2 in our client
> code when connecting to a server that supports it.  

There is *no* way to tell this.  The server can't tell us, because it
doesn't know what it's DC supports.  The DC can't tell us, because it
doesn't know what the trusted DC supports.  One DC might be Win2k, and
the PDC could be an older NT4. 

> I can't see where this 
> patch help that particular situation at all.  

This patch assists because it provides what windows clients use - NTLM2
session security.  My hope (and you seem to have access to the picky
systems, which is why I'm looking for feedback) is that this
functionality will put us back in line with Windows clients.

> So just disabling 
> client ntlmv2 auth will not solve the problem to get RC3 out.
> Maybe I just overlooked it in you patch, but all I see if key exchange.

I finished and enabled the NTLM2 code, as well as adding key exchange.

The other option is to always try NTLMv2, then fall back to NTLMv1 (and
freinds).  This is what Samba-TNG does, I think.  However, this has a
number of major drawbacks - we will cause a number of systems to 'lock
out' users for too many bad passwords, in the same way our
'security=server' code has done in the past.  That, and it's just ugly.

> I thought you had said you would get this straightened out at the CIFS 
> conference.

This is the work I was referring to.  No, I don't have infinite amounts
of time, and yes, I'm back at full-time uni, catching up with the 2
weeks I missed to be at the CIFS conference....

Note, that it breaks the (academic interest only) NTLMSSP DCE/RPC client
pipe support, as we don't quite have the signing algorithm sorted.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030906/09b95167/attachment.bin


More information about the samba-technical mailing list