Can Samba 3.0 do raw NTLMSSP?
Michael B Allen
ioplex at gmail.com
Mon Dec 8 19:28:39 GMT 2008
On Mon, Dec 8, 2008 at 1:46 PM, Jeremy Allison <jra at samba.org> wrote:
> On Sat, Dec 06, 2008 at 05:14:36PM -0500, Michael B Allen wrote:
>> On Sat, Dec 6, 2008 at 3:52 PM, Jeremy Allison <jra at samba.org> wrote:
>> > On Sat, Dec 06, 2008 at 03:22:22PM -0500, Michael B Allen wrote:
>> >> Hi,
>> >> Can Samba 3.0 do raw NTLMSSP without SPNEGO?
>> >> We just implemented NTLMv2 in JCIFS and we have extended security
>> >> turned on by default now. But JCIFS is failing with Samba 3.0 now
>> >> because it the raw NTLMSSP Type1Message blob is being rejected with
>> >> STATUS_LOGON_FAILURE.
>> > Hmmm, I thought we did that.
>> >> Does a more recent version of Samba 3.0 support raw NTLMSSP?
>> > What version are you trying against ? We're currently
>> > at 3.2.5 you know, not 3.0.anything ?
>> Yeah, I know - 3.2.x works fine. It's just 3.0.x that looks like it
>> doesn't like raw NTLMSSP. If I hack all of the the flags and such to
>> make the Type1Message look exactly like the SPNEGO-wrapped equivalent
>> Type1Message sent by smbclient, it still fails. So the only difference
>> looks like SPNEGO.
>> If you're not sure, then I'll recommend that the customer try to
>> upgrade to the latest 3.0 and see if that makes any difference.
> Which 3.0.x is the customer using ? If we've already fixed
> it in 3.2.x then I'd suggest they upgrade to that instead.
I don't know. They know 3.2.x works. I'm not sure how much the
customer (actually the customer's customer) really cares. I think if
the server was really that important they would probably have more
current versions of things.
It doesn't really matter. I don't see them having me add SPNEGO to
JCIFS just to support a version of Samba that doesn't appear to be
used a whole lot.
Michael B Allen
PHP Active Directory SPNEGO SSO
More information about the samba-technical