Patch NTLMv2 hash, samba-3.0.2a
Jianliang Lu
j.lu at tiesse.com
Thu Mar 18 17:33:40 GMT 2004
On Thu Mar 18 11:55:09 GMT 2004, Andrew Bartlett wrote:
> Given the range of clients out there, I suspect we can't quite do that.
> But I can do better. We already test for multiple different variants on
> the NTLMv2 hash, so I'll just add yet another boolean parameter...
>
> The problem is, the Spec says otherwise, and we have clients that supply
> NTLMv2 via things other than NTLMSSP.
>
> We need to test what Win2k accepts, but we have found that Win2k and NT4
> are rather bad at NTLMv2. See, nobody uses it, and MS gets it wrong
> even more then we do (we have workarounds for MS client bugs that even
> their own servers do not have!)
>
> I've not even compiled the attached patch, but this is how I want to
> deal with this. On the client side, we will need to try and proceed
> while breaking as few compatibility scenarios as possible...
>
> Thanks for chasing this down!
>
> Andrew Bartlett
I've made some small adjustments to your patch in ntlm_check.c, because also
the LMv2 check call the "smb_pwd_check_ntlmv2". The smbencrypt.c is ok. I've
tested the patch for both NT and XP, it worked. I'll test it also for W2K.
Fixed patch is attached.
Another question about NTLMv2: when I disabled both lanman auth and ntlm
auth, so samba will accept only the NTLMv2 reponse, the interactive logon
failed from the client XP. The trace showed me that XP send the empty NTLM
response. This may be a MS bug or our Samba sent some wrong flags?
Jianliang Lu
TieSse s.p.a. Ivrea (To) - Italy
j.lu at tiesse.com luj at libero.it
http://www.tiesse.com
-------------- next part --------------
--- samba-3.0.2a/source/libsmb/ntlm_check.c.orig Thu Mar 18 14:39:36 2004
+++ samba-3.0.2a/source/libsmb/ntlm_check.c Thu Mar 18 15:04:14 2004
@@ -85,6 +85,7 @@
const uchar *part_passwd,
const DATA_BLOB *sec_blob,
const char *user, const char *domain,
+ BOOL upper_case_domain /* should the domain be transformed into upper
case? */,
DATA_BLOB *user_sess_key)
{
/* Finish the encryption of part_passwd. */
@@ -122,7 +123,7 @@
memcpy(client_response, ntv2_response->data, sizeof(client_response));
- if (!ntv2_owf_gen(part_passwd, user, domain, kr)) {
+ if (!ntv2_owf_gen(part_passwd, user, domain, upper_case_domain, kr)) {
return False;
}
@@ -235,13 +236,24 @@
if (nt_response->length >= 24 && nt_pw) {
if (nt_response->length > 24) {
/* We have the NT MD4 hash challenge available - see if we can
- use it (ie. does it exist in the smbpasswd file).
+ use it
*/
DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with domain [%s]\n
", client_domain));
if (smb_pwd_check_ntlmv2( nt_response,
nt_pw, challenge,
- client_username,
+ client_username,
+ client_domain,
+ False,
+ user_sess_key)) {
+ return NT_STATUS_OK;
+ }
+
+ DEBUG(4,("ntlm_password_check: Checking NTLMv2 password with uppercased ve
rsion of domain [%s]\n", client_domain));
+ if (smb_pwd_check_ntlmv2( nt_response,
+ nt_pw, challenge,
+ client_username,
client_domain,
+ True,
user_sess_key)) {
return NT_STATUS_OK;
}
@@ -251,6 +263,7 @@
nt_pw, challenge,
client_username,
"",
+ False,
user_sess_key)) {
return NT_STATUS_OK;
} else {
@@ -334,6 +347,17 @@
nt_pw, challenge,
client_username,
client_domain,
+ False,
+ NULL)) {
+ return NT_STATUS_OK;
+ }
+
+ DEBUG(4,("ntlm_password_check: Checking LMv2 password with uppercased version doma
in %s\n", client_domain));
+ if (smb_pwd_check_ntlmv2( lm_response,
+ nt_pw, challenge,
+ client_username,
+ client_domain,
+ True,
NULL)) {
return NT_STATUS_OK;
}
@@ -343,6 +367,7 @@
nt_pw, challenge,
client_username,
"",
+ False,
NULL)) {
return NT_STATUS_OK;
}
More information about the samba-technical
mailing list