[PATCH] s4 libcli: fix NTLMv2 without spnego

Andrew Bartlett abartlet at samba.org
Thu Apr 7 17:15:12 MDT 2011 

On Thu, 2011-04-07 at 14:48 +0200, Christian M Ambach wrote:
> "Stefan (metze) Metzmacher" <metze at samba.org> wrote on 03/16/2011 02:20:51 
> PM:
> 
> > >> It seems that there're a lot of callers of 
> NTLMv2_generate_names_blob(),
> > >> are you sure the behavior change is correct for all of them?
> > > 
> > > You're right, I forgot to do that.
> > > I'll go through all callers and test out if they still work.
> > > In case they do, I'll also eliminate the then unused hostname argument 
> to
> > > NTLMv2_generate_names_blob().
> > 
> > Wouldn't it make sense to just handle hostname == NULL?
> 
> After some more research and investigation, I made the decision to go 
> along
> the path you have proposed.
> During my research, I have tested with multiple Windows and Samba domain 
> members
> against various versions of domain controllers and found that domain
> controllers are likely to reject NTLMv2 blobs during non-NTMLSSP 
> authentication
> if the blob contains a FQDN or IP address as MsvAvNbComputerName in the 
> blob.
> 
> I do not understand the exact conditions under which the DC will reject 
> the
> blob, there seem to be differences between Samba and Windows computer 
> accounts.
> For Samba machine accounts, it will reject it when using an IP address,
> while it does not for Windows boxes. Using an invalid name will always 
> lead
> to a negative reply to the NetrLogonSamLogonEx call.
> 
> So for now, I decided to simply add some checks and if we are attempting
> to open a connection with a name that is potentially not a valid netbios
> name, just leave away that part of the blob.

I'm sorry to have you go another round on this, but I'm not comfortable
with the 'guess if it's a netbios name' approach.  I would prefer that
in the NT1 session setup, that we just didn't include the name, unless
you can show a situation where that causes a failure.

It just seems to me that we will be back to failing in some odd, looks
like a netbios name but isn't situation.

As a separate issue, it would improve security to ensure we don't end up
down this codepath somehow (ie, SPNEGO becomes mandatory unless the
admin turns it off, just as NTLMv2 is etc).  But for this to be any use
we need to verify the server-sent NTLMSSP blobs as well. 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list