[PATCH] s4 libcli should not use NTLMv2 if extended security is not negotiated
Stefan (metze) Metzmacher
metze at samba.org
Wed Mar 16 06:55:12 MDT 2011
Am 16.03.2011 13:10, schrieb Andrew Bartlett:
> On Wed, 2011-03-16 at 12:56 +0100, Christian M Ambach wrote:
>> Andrew Bartlett <abartlet at samba.org> wrote on 03/15/2011 11:41:18 PM:
>>>> Would it be the correct solution to remove the computer name?
>>> If that's what windows clients do, then yes. But let's pin down
>>> Windows 2008 needs just in case it shows us an exception to the rule
>>> need to take into account.
>> I did some more research and found
>> On Windows 2008, NTLMv2 is not possible any more without spnego unless
>> registry key is added.
> We should probably do the same then. I suspect this is about avoiding a
> some interesting man-in-the-middle downgrade attack.
>> I attached my updated patchset that makes NTLMv2 w/o spnego work and
>> correctly announces missing support for NT error codes from the first
>> packet on (minor nit that is not necessary to make the torture tests
>> pass again).
>> Please review.
> These look good. I probably won't be able to commit these right away,
> so if another team member beats me to it, I'll be grateful ;-)
It seems that there're a lot of callers of NTLMv2_generate_names_blob(),
are you sure the behavior change is correct for all of them?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 262 bytes
Desc: OpenPGP digital signature
More information about the samba-technical