[PATCH] s4 libcli should not use NTLMv2 if extended security is not negotiated

Andrew Bartlett abartlet at samba.org
Tue Mar 15 16:41:18 MDT 2011 

On Tue, 2011-03-15 at 19:42 +0100, Christian M Ambach wrote:
> Hi Andrew, 
> 
> Andrew Bartlett <abartlet at samba.org> wrote on 03/09/2011 10:27:06 PM:
> 
> > I wonder if the bug is more subtle however.  NTLMv2 should work
> without
> > extended security, so what is really going on here?  Is the wrong
> name
> > presented to the NTLMv2 calculation?
> 
> I did some more investigations and compared the differences between
> what 
> smbtorture sends and what Windows clients send out. 
> 
> The support of NT status error codes is not of interest here, it is
> only 
> if extended security can be used or not. 
> 
> In case spnego is not used, the Windows Clients I checked are only
> sending 
> the domain name in the NTLMv2 blob, not the host name. 
> I removed the sending of the hostname in smbtorture et voila, it
> works 
> 
> diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c 
> index f7c60e7..99e3cdb 100644 
> --- a/libcli/auth/smbencrypt.c 
> +++ b/libcli/auth/smbencrypt.c 
> @@ -364,9 +364,8 @@ DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX
> *mem_ctx, 
>         DATA_BLOB names_blob = data_blob_talloc(mem_ctx, NULL, 0); 
>   
>         msrpc_gen(mem_ctx, &names_blob, 
> -                 "aaa", 
> +                 "aa", 
>                   MsvAvNbDomainName, domain, 
> -                 MsvAvNbComputerName, hostname, 
>                   MsvAvEOL, ""); 
>         return names_blob; 
>  }
> 
> The torture tests which can now connect against Samba 3.6 joined to a
> domain and 
> Windows 2003. Windows 2008 however still refuses the connection, but
> maybe that's 
> a matter of the security settings. I'll look further into this. 
> 
> Would it be the correct solution to remove the computer name? 

If that's what windows clients do, then yes.  But let's pin down what
Windows 2008 needs just in case it shows us an exception to the rule we
need to take into account. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the samba-technical mailing list