Bug #6563
Andrew Bartlett
abartlet at samba.org
Tue Jul 20 06:15:09 MDT 2010
On Tue, 2010-07-20 at 14:06 +0200, Kai Blin wrote:
> On Tue, 20 Jul 2010 10:08:13 +0200 Alan DeKok <aland at ox.org> wrote:
>
> (Resent with mailing list in cc, sorry for the noise)
>
> > https://bugzilla.samba.org/show_bug.cgi?id=6563
> >
> > There is an increasing number of people who are running into this
> > bug. I'm seeing an email a week about it. This means even more
> > people are seeing it, and giving up without asking for help.
>
> I initially stopped looking into this because comment #23 reported this
> to be fixed in 3.4.3. It seems not to be the case, though, looking at
> later reports. However, this has been a busy month at $dayjob and also
> in my spare time, so it didn't quite bubble back up on top of my
> todo-list yet.
>
> > The bug is that when using MSCHAP and ntlm_auth, the response NT-Key
> > is wrong, and the client rejects the MS-CHAP response. It has been
> > reported across a wide range of Samba versions, including the most
> > recent ones. The only solution found so far is to downgrade to 3.0.x,
> > which works.
>
> My experience with that mode of ntlm_auth is limited and last time I
> tried it failed consistently on 3.0.x and newer versions.
>
> > The bug includes a python script to reproduce the problem, so
> > there's no need for a complicated test setup. We can also supply a
> > willing set of beta testers who can verify if a patch fixes the
> > problem.
>
> This is only partly true, as I described in comment #20. I'll try to
> make some time to look into this again.
We really need an expected value test for this in our testsuite.
I'm very happy to help on this, as I created this monster in the first
place. My best guess is that we are failing to decrypt the session key
in this instance.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100720/f6012790/attachment.pgp>
More information about the samba-technical
mailing list