Heads Up On MS04-011
Vincent Valdez
vincentv at microsoft.com
Fri Apr 30 12:36:36 GMT 2004
Hello. My name is Vincent Valdez. I am an escalation engineer for
Microsoft. Some of our customers are also Samba users, so I just wanted
to give you a heads up on an issue that we are seeing with MS04-011. I
hope this is isn't a duplicate, as I don't subscribe to this mailing
list. I did try to reproduce this problem with Samba, but could not.
However, I have seen this with two other major CIFS implementations. My
overall goal is to discourage users from uninstalling MS04-011, by
understanding the problem, the status, the workaround and how to get
more information.
Problem:
Cannot connect to Non-Microsoft SMB CIFS servers from Microsoft clients
after installing the critical update MS04-011. The session setup will
fail.
C->S : SMB: C session setup & X
S->C : SMB: R session setup & X - NT error, System, Error, Code = (22)
STATUS_MORE_PROCESSING_REQUIRED
C->S : SMB: C logoff & X
Event:
You will see this on the clients when trying to connect:
Event Type: Warning
Event Source: MRxSmb
Event Category: None
Event ID: 3034
Date: 10/10/2004
Time: 10:10:10 PM
User: N/A
Computer: MyWin2000SP4CPU
Description:
The redirector was unable to initialize security context or query
context attributes.
Data:
0000: 00080000 00560002 00000000 80000bda
0010: 00000000 c000000d 00000000 00000000
0020: 00000000 00000000 0000047d c000000d
c000000d = STATUS_INVALID_PARAMETER
This is my current understanding of the issue:
Correct behavior:
If you set the lmcompatabilitylevel to 3, you are forcing NTLMv2
Authentication, with LM, NTLM or NTLMv2 Session
If you set the lmcompatabilitylevel to 4, you are forcing NTLMv2
Authentication, with NTLM or NTLMv2 Session
If you set the lmcompatabilitylevel to 5, you are forcing NTLMv2
Authentication, with NTLMv2 Session
MS04-011 Behavior:
If you set the lmcompatabilitylevel to 3, 4 or 5, you are forcing NTLMv2
Authentication, with broken NTLMv2 Session, because you are expecting
TargetInfo that is not required with NTLMv1 or LM. If the smb server
(win2000, XP, 2003) supports NTLMv2 session and authentication, then you
will not have any problems. Early (most) versions of <well known CIFS
vendor> did not support connections that used NTLMv2 session
connections. So <well known CIFS vendor>'s fix is to send back
TargetInfo when it really shouldn't have to and finish up their support
for NTLMv2 session.
Workarounds:
1. Start "Secpol.msc"
2. Expand to "Local Policies"
3. Select the "Security Options" container
4. Edit the "LAN Manager Authentication Level" value as follows:
Change from "Send NTLMv2" * to "Send NTLM"
- NOTE: If this is set somewhere else, it needs to be changed there
as well.
5. Open a command prompt and type: "secedit /refreshpolicy
machine_policy"
6. Wait for App.evt SCECli event indicating the policy refresh, test
or
Change lmcompatabilitylevel to 2
Links:
Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
<http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx>
Publicly, known issues with MS04-011: Security Update for Microsoft
Windows
http://support.microsoft.com/default.aspx?scid=kb;en-us;835732
<http://support.microsoft.com/default.aspx?scid=kb;en-us;835732>
As more information becomes known it will be published in a KB article
that is linked to from MS KB 835732, above.
Lastly, Please do not email me directly. Also, I cannot review code.
This is purely a friendly notice that we are working on this issue and
hope to have it resolved asap. As more information because known, it
will be published in the Microsoft Knowledge Base. If you need
technical support please call Microsoft Product Support Services or use
Microsoft's NNTP servers or groups.
Thanks,
Vincent Valdez
More information about the samba-technical
mailing list