Bug #6563

Andrew Bartlett abartlet at samba.org
Tue Jul 20 06:15:09 MDT 2010 

On Tue, 2010-07-20 at 14:06 +0200, Kai Blin wrote:
> On Tue, 20 Jul 2010 10:08:13 +0200 Alan DeKok <aland at ox.org> wrote:
> 
> (Resent with mailing list in cc, sorry for the noise)
> 
> > https://bugzilla.samba.org/show_bug.cgi?id=6563
> > 
> >   There is an increasing number of people who are running into this
> > bug. I'm seeing an email a week about it.  This means even more
> > people are seeing it, and giving up without asking for help.
> 
> I initially stopped looking into this because comment #23 reported this
> to be fixed in 3.4.3. It seems not to be the case, though, looking at
> later reports. However, this has been a busy month at $dayjob and also
> in my spare time, so it didn't quite bubble back up on top of my
> todo-list yet.
> 
> >   The bug is that when using MSCHAP and ntlm_auth, the response NT-Key
> > is wrong, and the client rejects the MS-CHAP response.  It has been
> > reported across a wide range of Samba versions, including the most
> > recent ones.  The only solution found so far is to downgrade to 3.0.x,
> > which works.
> 
> My experience with that mode of ntlm_auth is limited and last time I
> tried it failed consistently on 3.0.x and newer versions.
> 
> >   The bug includes a python script to reproduce the problem, so
> > there's no need for a complicated test setup.  We can also supply a
> > willing set of beta testers who can verify if a patch fixes the
> > problem.
> 
> This is only partly true, as I described in comment #20. I'll try to
> make some time to look into this again.

We really need an expected value test for this in our testsuite. 

I'm very happy to help on this, as I created this monster in the first
place.  My best guess is that we are failing to decrypt the session key
in this instance. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100720/f6012790/attachment.pgp>

More information about the samba-technical mailing list