Patch NTLMv2 hash, samba-3.0.2a
Andrew Bartlett
abartlet at samba.org
Thu Mar 18 21:06:32 GMT 2004
On Fri, 2004-03-19 at 04:33, Jianliang Lu wrote:
> On Thu Mar 18 11:55:09 GMT 2004, Andrew Bartlett wrote:
>
> > Given the range of clients out there, I suspect we can't quite do that.
> > But I can do better. We already test for multiple different variants on
> > the NTLMv2 hash, so I'll just add yet another boolean parameter...
> >
> > The problem is, the Spec says otherwise, and we have clients that supply
> > NTLMv2 via things other than NTLMSSP.
> >
> > We need to test what Win2k accepts, but we have found that Win2k and NT4
> > are rather bad at NTLMv2. See, nobody uses it, and MS gets it wrong
> > even more then we do (we have workarounds for MS client bugs that even
> > their own servers do not have!)
> >
> > I've not even compiled the attached patch, but this is how I want to
> > deal with this. On the client side, we will need to try and proceed
> > while breaking as few compatibility scenarios as possible...
> >
> > Thanks for chasing this down!
> >
> > Andrew Bartlett
>
> I've made some small adjustments to your patch in ntlm_check.c, because also
> the LMv2 check call the "smb_pwd_check_ntlmv2". The smbencrypt.c is ok. I've
> tested the patch for both NT and XP, it worked. I'll test it also for W2K.
> Fixed patch is attached.
Thanks. We need the client tested against the same combinations.
> Another question about NTLMv2: when I disabled both lanman auth and ntlm
> auth, so samba will accept only the NTLMv2 reponse, the interactive logon
> failed from the client XP. The trace showed me that XP send the empty NTLM
> response. This may be a MS bug or our Samba sent some wrong flags?
Samba bug, #169. It is not hard to fix, we just need to stop hashing
the interactive login into NTLM responses. The reason I didn't just put
in a quick hack is that we also need to forward the interactive response
to our DC, if we get a plaintext password (such as via pam_winbind). We
currently make an NTLM challenge/response for such logins, but that
breaks this kind of thing ;-)
(We do so because the method for communicating with the DC may not be
secure, but we have since added schannel support. I wish it were
mandatory by default...)
The patch looks good, apart from where it got eaten by your mailer ;-)
I'll get around to applying it soon.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040319/55e054a1/attachment.bin
More information about the samba-technical
mailing list