Question on NTLMv2 over SMB

Yimin Chen (ymchen) ymchen at cisco.com
Tue Jun 28 18:50:46 GMT 2005 

Hi Chris, Andrew,

After comparing the sniffer traces with/without the proxy, I think the
LMv2 response generated from client was probably incorrect because it
didn't get the correct server target information in the
NTLMSSP_CHALLENGE message. It doesn't matter for LM response, because LM
response does not take into consideration of the server target
information. 

I will retest the senario after correcting our code to send back the
server target information, and will let you know the results.

Thank you very much for your help!


Thanks,
Yimin

> -----Original Message-----
> From: Christopher R. Hertel [mailto:crh at ubiqx.mn.org] 
> Sent: Tuesday, June 28, 2005 10:44 AM
> To: Andrew Bartlett
> Cc: Yimin Chen (ymchen); samba-technical at lists.samba.org
> Subject: Re: Question on NTLMv2 over SMB
> 
> On Tue, Jun 28, 2005 at 12:02:48PM +1000, Andrew Bartlett wrote:
> > On Mon, 2005-06-27 at 18:54 -0700, Yimin Chen wrote:
> > > Hi,
> > > 
> > > I am running into problem when trying to test NTLMv2 pass-through 
> > > authentication.
> > > 
> > > I am reading "Implementing CIFS" and according to the section 
> > > 15.5.7, if Domain Controller has "IMCompatibility" set to 
> 0, and I 
> > > send a LMv2 response in the CaseInsensitivePassword field 
> in the SMB 
> > > Session Setup Andx Request, the Domain controller should 
> compare the 
> > > response with LM, LMv2, NTLM, NTLMv2 responses and found 
> my response 
> > > matching with LMv2 and then grant the access.
> > > 
> > > However, in my testing, I noticed that if I send LMv2 response to 
> > > the domain controller, the access is denied; if I send LM 
> response 
> > > to the domain controller, the access is allowed. So I am not sure 
> > > whether there is some additional configuration I need to 
> do on the 
> > > domain controller in order for it to accept LMv2 response as well?
> > 
> > More likely you have not got the LMv2 algorithm correct, as 
> far as I 
> > know the password type is always accepted.  Also remember that the 
> > 'case sensitive' password field always seems to take 
> priority, so if 
> > you have any NT response, then it will succeed or fail on 
> that basis.
> 
> When I was researching this (oh so many months ago) the 
> documentation I found said that the LMv2 response was added 
> as an afterthought.  The reason it was added was that some 
> (older) Windows systems doing pass-through had hard-coded 
> password length fields (recall that all of the responses, 
> *except for the NTLMv2 response*, are 24 bytes).
> 
> Anyway, according to the doco I found, the nodes in 
> pass-through mode would truncate the NTLMv2 response.  The 
> work-around was to add the LMv2 response.
> 
> The way to test this would be for Yimin to truncate the 
> NTLMv2 response to
> 24 bytes in his code.  I'd try this with and without changing 
> the field length in CaseSensitivePasswordLength (just to see 
> what happens).
> 
> Yimin, is that something you can do?  If so, please let us 
> know the results.
> 
> We have some tools to do this as well, if needed.
> 
> Chris -)-----
> 
> 
> --
> "Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
> Samba Team -- http://www.samba.org/     -)-----   Christopher 
> R. Hertel
> jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx 
> development, uninq.
> ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
> OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org
>

More information about the samba-technical mailing list