[PATCH] s4 libcli should not use NTLMv2 if extended security is not negotiated

Christian M Ambach christian.ambach at de.ibm.com
Wed Mar 9 06:16:23 MST 2011

Hi list,

while I was looking through the testcases in smbtorture, I noticed
that two of them (base.samba3error and raw.samba3badpath) fail to connect 
second session against the target server.
I cannot comment on if these two testcases are still worth existing, it 
seems they
are not included in the selftest. However, I was interested what the root 
cause of
this error is.

Bisecting the code history, I figured out that those two worked a while 
ago but
they broke when the default of using NTLMv2 auth was changed from false to 
in commit 54ee213fa5da6b138a "s4-client Use NTLMv2 by default in the 
Samba4 client".

I was able to revive the two tests with the a patch to disable NTLMv2 if
extended security was not negotiated during protocol negotiation.

They now pass again against Samba 3.6 and Win 2008R2.

While looking into the protocol negotation phase, I also thought it might 
be a
good idea to not announce support for NT error codes if support for them
was disabled (like the two testcases do).

However, this patch is not necessary to make the two testcases pass again, 
key factor here was the use of NTLMv2 although it was not allowed to use 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s4-libcli-do-not-use-NTLMv2-if-extended-security-is-.patch
Type: application/octet-stream
Size: 939 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110309/9635447d/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-libcli-do-not-announce-NT-error-code-support-when.patch
Type: application/octet-stream
Size: 1017 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110309/9635447d/attachment-0001.obj>

More information about the samba-technical mailing list