[PATCH] s4 libcli should not use NTLMv2 if extended security is not negotiated
Stefan (metze) Metzmacher
metze at samba.org
Wed Mar 16 06:55:12 MDT 2011
Am 16.03.2011 13:10, schrieb Andrew Bartlett:
> On Wed, 2011-03-16 at 12:56 +0100, Christian M Ambach wrote:
>> Andrew Bartlett <abartlet at samba.org> wrote on 03/15/2011 11:41:18 PM:
>>
>>>> Would it be the correct solution to remove the computer name?
>>>
>>> If that's what windows clients do, then yes. But let's pin down
>> what
>>> Windows 2008 needs just in case it shows us an exception to the rule
>> we
>>> need to take into account.
>>
>> I did some more research and found
>> http://support.microsoft.com/kb/957441/en-us
>> On Windows 2008, NTLMv2 is not possible any more without spnego unless
>> a
>> registry key is added.
>
> We should probably do the same then. I suspect this is about avoiding a
> some interesting man-in-the-middle downgrade attack.
>
>> I attached my updated patchset that makes NTLMv2 w/o spnego work and
>> correctly announces missing support for NT error codes from the first
>> packet on (minor nit that is not necessary to make the torture tests
>> pass again).
>>
>> Please review.
>
> These look good. I probably won't be able to commit these right away,
> so if another team member beats me to it, I'll be grateful ;-)
It seems that there're a lot of callers of NTLMv2_generate_names_blob(),
are you sure the behavior change is correct for all of them?
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110316/197dbebd/attachment.pgp>
More information about the samba-technical
mailing list