[PATCH] s4 libcli should not use NTLMv2 if extended security is not negotiated

[Christian M Ambach]

Hi Andrew,

Andrew Bartlett <abartlet at samba.org> wrote on 03/09/2011 10:27:06 PM:

> I wonder if the bug is more subtle however.  NTLMv2 should work without
> extended security, so what is really going on here?  Is the wrong name
> presented to the NTLMv2 calculation?

I did some more investigations and compared the differences between what 
smbtorture sends and what Windows clients send out.

The support of NT status error codes is not of interest here, it is only
if extended security can be used or not.

In case spnego is not used, the Windows Clients I checked are only sending
the domain name in the NTLMv2 blob, not the host name.
I removed the sending of the hostname in smbtorture et voila, it works

diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index f7c60e7..99e3cdb 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -364,9 +364,8 @@ DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX 
*mem_ctx,
        DATA_BLOB names_blob = data_blob_talloc(mem_ctx, NULL, 0);
 
        msrpc_gen(mem_ctx, &names_blob,
-                 "aaa",
+                 "aa",
                  MsvAvNbDomainName, domain,
-                 MsvAvNbComputerName, hostname,
                  MsvAvEOL, "");
        return names_blob;
 }

The torture tests which can now connect against Samba 3.6 joined to a 
domain and 
Windows 2003. Windows 2008 however still refuses the connection, but maybe 
that's
a matter of the security settings. I'll look further into this.

Would it be the correct solution to remove the computer name?

Cheers,
Christian