Issues with cli_session_setup() calling conventions

Gerald (Jerry) Carter jerry at
Thu Jan 20 20:41:22 GMT 2005

Hash: SHA1

Andrew Bartlett wrote:
| Jerry,
| It has been pointed out to me that there are a
| number of problems with the current code for
| cli_session_setup().  Now, the problems are not
| new, but it has recently come up that certain
| security=server setups break it, where the client
| doesn't supply an LM response.  (This came up
| via the cifs-vfs lists).
| The problems revolve around the fact that the value
| of passlen is a very poor indicator for everything.  It
| is currently length of pass, as expecting it to be
| either an LM response (==24), strlen(pass) or strlen
| (pass)+1:
| The bug is that in cli_session_setup_nt1():
| 	if (passlen == 0) {
| 		/* do nothing - guest login */
| 	} else if (passlen != 24) {
| is bogus - the guest login case is already handled in
| cli_session_setup (), and a plaintext password (that
| we should encrypt at this point) of length 24 is
| mishandled.  If the LM password is not supplied, then
| passlen==0, and bad things happen.
| There should only be one place in Samba3 that needs
| to specify the pre- encrypted NT and LM responses,
| and that is the security=server code.
| But the rest of the code now 'handles' the bloated interface,
| as a grep on cli_session_setup() shows.  This all leaves
| me a little uneasy going out to 'fix' it.
| In any case, this is only an issue in security=server,
| which probably explains why nobody noticed in the past.


So what is exactly is your proposal?  Not sure I follow you.
I understand the problem but am not sure what you are asking
me (or you) to do.  I get the feeling that this is one of
those bugs we have that may cost more to fix than it is worth.

Is there a thread URL you can point me to to get caught up
on the discussion?

cheers, jerry
Alleviating the pain of Windows(tm)      -------
GnuPG Key                -----
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -


More information about the samba-technical mailing list