[PATCH] s4 libcli should not use NTLMv2 if extended security is not negotiated

Andrew Bartlett abartlet at samba.org
Wed Mar 16 06:10:12 MDT 2011

On Wed, 2011-03-16 at 12:56 +0100, Christian M Ambach wrote:
> Andrew Bartlett <abartlet at samba.org> wrote on 03/15/2011 11:41:18 PM:
> > > Would it be the correct solution to remove the computer name? 
> > 
> > If that's what windows clients do, then yes.  But let's pin down
> what
> > Windows 2008 needs just in case it shows us an exception to the rule
> we
> > need to take into account. 
> I did some more research and found
> http://support.microsoft.com/kb/957441/en-us 
> On Windows 2008, NTLMv2 is not possible any more without spnego unless
> a 
> registry key is added. 

We should probably do the same then.  I suspect this is about avoiding a
some interesting man-in-the-middle downgrade attack. 

> I attached my updated patchset that makes NTLMv2 w/o spnego work and 
> correctly announces missing support for NT error codes from the first 
> packet on (minor nit that is not necessary to make the torture tests
> pass again). 
> Please review. 

These look good.  I probably won't be able to commit these right away,
so if another team member beats me to it, I'll be grateful ;-)

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the samba-technical mailing list