Patch NTLMv2 hash, samba-3.0.2a

Andrew Bartlett abartlet at
Thu Mar 18 21:06:32 GMT 2004

On Fri, 2004-03-19 at 04:33, Jianliang Lu wrote:
> On Thu Mar 18 11:55:09 GMT 2004, Andrew Bartlett wrote:
> > Given the range of clients out there, I suspect we can't quite do that. 
> > But I can do better.  We already test for multiple different variants on
> > the NTLMv2 hash, so I'll just add yet another boolean parameter...
> > 
> > The problem is, the Spec says otherwise, and we have clients that supply
> > NTLMv2 via things other than NTLMSSP.  
> > 
> > We need to test what Win2k accepts, but we have found that Win2k and NT4
> > are rather bad at NTLMv2.  See, nobody uses it, and MS gets it wrong
> > even more then we do (we have workarounds for MS client bugs that even
> > their own servers do not have!)
> > 
> > I've not even compiled the attached patch, but this is how I want to
> > deal with this.  On the client side, we will need to try and proceed
> > while breaking as few compatibility scenarios as possible...
> > 
> > Thanks for chasing this down!
> > 
> > Andrew Bartlett
> I've made some small adjustments to your patch in ntlm_check.c, because also 
> the LMv2 check call the "smb_pwd_check_ntlmv2". The smbencrypt.c is ok. I've 
> tested the patch for both NT and XP, it worked. I'll test it also for W2K. 
> Fixed patch is attached.

Thanks.  We need the client tested against the same combinations.

> Another question about NTLMv2: when I disabled both lanman auth and ntlm 
> auth, so samba will accept only the NTLMv2 reponse, the interactive logon 
> failed from the client XP. The trace showed me that XP send the empty NTLM 
> response. This may be a MS bug or our Samba sent some wrong flags?

Samba bug, #169.  It is not hard to fix, we just need to stop hashing
the interactive login into NTLM responses.  The reason I didn't just put
in a quick hack is that we also need to forward the interactive response
to our DC, if we get a plaintext password (such as via pam_winbind).  We
currently make an NTLM challenge/response for such logins, but that
breaks this kind of thing ;-)

(We do so because the method for communicating with the DC may not be
secure, but we have since added schannel support.  I wish it were
mandatory by default...)

The patch looks good, apart from where it got eaten by your mailer ;-)

I'll get around to applying it soon.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list