[PATCH] s4 libcli should not use NTLMv2 if extended security is not negotiated
Andrew Bartlett
abartlet at samba.org
Wed Mar 16 06:10:12 MDT 2011
On Wed, 2011-03-16 at 12:56 +0100, Christian M Ambach wrote:
> Andrew Bartlett <abartlet at samba.org> wrote on 03/15/2011 11:41:18 PM:
>
> > > Would it be the correct solution to remove the computer name?
> >
> > If that's what windows clients do, then yes. But let's pin down
> what
> > Windows 2008 needs just in case it shows us an exception to the rule
> we
> > need to take into account.
>
> I did some more research and found
> http://support.microsoft.com/kb/957441/en-us
> On Windows 2008, NTLMv2 is not possible any more without spnego unless
> a
> registry key is added.
We should probably do the same then. I suspect this is about avoiding a
some interesting man-in-the-middle downgrade attack.
> I attached my updated patchset that makes NTLMv2 w/o spnego work and
> correctly announces missing support for NT error codes from the first
> packet on (minor nit that is not necessary to make the torture tests
> pass again).
>
> Please review.
These look good. I probably won't be able to commit these right away,
so if another team member beats me to it, I'll be grateful ;-)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
More information about the samba-technical
mailing list