DNS names in NTLMSSP

Andrew Bartlett abartlet at samba.org
Mon Aug 16 05:45:01 GMT 2004

On Fri, 2004-08-13 at 13:41, Qiao Yang wrote:
> In NTLMSSP Type 2 message, the server is supposed to fill in 
> target DNS full name and DNS domain name in the Target Information
>  Data blob.
> My question is, Does this information is actually used by the 
> NTLMSSP client? Could we just fill in blanks? We see some customers 
> has broken DNS server, which timeouts NTLMSSP authentication while 
> server is doing DNS lookup for itself to get canonical dns names.

It never rains, but it pours - Herb Lewis raised the exact same bug with
me in the lab...

> Adding an entry to local /etc/hosts may solve the problem on the server 
> side. But will the client verify the target DNS name at all?

As far as I know, it will not.  However, if the client and PDC did both
validate this information, it would add significantly to the security of
the NTLMv2 system.  (And make it closer to kerberos in both network
accuracy requirements and in number of sites using it ;-)

The only thing stopping me adding an 'if (lp_hostname_lookups()) {}'
around this call is the testing effort required to validate it against
all clients and servers.  

Feel free to file a bug at least, so it's only lost in the bug database,
and not just in the mailing list archives ;-)

Andrew Bartlett

Andrew Bartlett                                 abartlet at samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040816/24a900fb/attachment.bin

More information about the samba-technical mailing list