Samba4 NTLMv2 negotiation
Andrew Bartlett
abartlet at samba.org
Mon Jun 27 21:53:47 GMT 2005
On Mon, 2005-06-27 at 10:42 -0700, Matt Cobb wrote:
> Is there a way to get Samba4 client/client libs to first negotiate/try
> ntlmv2, then drop down to the less secure protocols if the other side
> does not support ntlmv2? Looks like the only way to make ntlmv2 happen
> is to have "client ntlmv2 auth = yes" turned on in smb.conf. However
> this may not work against older clients such as win9x. Something like
> client ntlmv2 auth = auto or client auth = {ntlmv2, ntlmv1, clear}??
I've considered doing this, but there are a number of points of pain in
such an approach.
The biggest problem is that if the NTLMv2 login fails, all we get back
is LOGON_FAILURE, which would also increment a bad password counter.
This means that for every bad password, we would login twice, and for a
system where we have a systemic NTLMv2 failure (it is more prone to
failure than NTLM, due to the inclusion of the username/domain in the
response) we would always cause failed logins.
Much as I would love to have an 'automatic' way to handle NTLMv2, I
don't want to go down that route.
A different kettle of fish however is the NTLM2 modified response (part
of NTLM2 session security), where in NTLMSSP we negotiate not to send
the LM password, and to send a client challenge to make up part of the
otherwise unmodified NTLM response.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050628/aeb93c9c/attachment.bin
More information about the samba-technical
mailing list