[PATCH] s4 libcli: fix NTLMv2 without spnego

Christian M Ambach christian.ambach at de.ibm.com
Wed Apr 13 04:54:11 MDT 2011

Hi Andrew,

Andrew Bartlett <abartlet at samba.org> wrote on 04/08/2011 01:15:12 AM:

> > So for now, I decided to simply add some checks and if we are 
> > to open a connection with a name that is potentially not a valid 
> > name, just leave away that part of the blob.
> I'm sorry to have you go another round on this, but I'm not comfortable
> with the 'guess if it's a netbios name' approach.  I would prefer that
> in the NT1 session setup, that we just didn't include the name, unless
> you can show a situation where that causes a failure.
> It just seems to me that we will be back to failing in some odd, looks
> like a netbios name but isn't situation.

I have prepared and attached a new patchset that always leaves out
the netbios name part from the NTLMv2 blobs when spnego is not used.
This makes Samba behave similar to Windows clients that according to
my research are not sending that part too.
> As a separate issue, it would improve security to ensure we don't end up
> down this codepath somehow (ie, SPNEGO becomes mandatory unless the
> admin turns it off, just as NTLMv2 is etc). 

These code paths will only be visited if a the dialect to be used
is very old or if the server does not offer spnego. 
So what would you be looking for? A config option that would prevent the
Samba client from using non-spnego unless explicitly allowed?

> But for this to be any use
> we need to verify the server-sent NTLMSSP blobs as well. 

What do you think should be verified in these blobs?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-libcli-do-not-announce-NT-error-code-support-when.patch
Type: application/octet-stream
Size: 1027 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110413/07c05868/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-libcli-allow-exclusion-of-netbios-name-in-NTLMV2-blo.patch
Type: application/octet-stream
Size: 1243 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110413/07c05868/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-s4-libcli-do-not-use-netbios-name-in-NTLMv2-blobs-w-.patch
Type: application/octet-stream
Size: 2988 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110413/07c05868/attachment-0002.obj>

More information about the samba-technical mailing list