[PATCH] s4 libcli should not use NTLMv2 if extended security is not negotiated

Stefan (metze) Metzmacher metze at samba.org
Wed Mar 16 06:55:12 MDT 2011

Am 16.03.2011 13:10, schrieb Andrew Bartlett:
> On Wed, 2011-03-16 at 12:56 +0100, Christian M Ambach wrote:
>> Andrew Bartlett <abartlet at samba.org> wrote on 03/15/2011 11:41:18 PM:
>>>> Would it be the correct solution to remove the computer name? 
>>> If that's what windows clients do, then yes.  But let's pin down
>> what
>>> Windows 2008 needs just in case it shows us an exception to the rule
>> we
>>> need to take into account. 
>> I did some more research and found
>> http://support.microsoft.com/kb/957441/en-us 
>> On Windows 2008, NTLMv2 is not possible any more without spnego unless
>> a 
>> registry key is added. 
> We should probably do the same then.  I suspect this is about avoiding a
> some interesting man-in-the-middle downgrade attack. 
>> I attached my updated patchset that makes NTLMv2 w/o spnego work and 
>> correctly announces missing support for NT error codes from the first 
>> packet on (minor nit that is not necessary to make the torture tests
>> pass again). 
>> Please review. 
> These look good.  I probably won't be able to commit these right away,
> so if another team member beats me to it, I'll be grateful ;-)

It seems that there're a lot of callers of NTLMv2_generate_names_blob(),
are you sure the behavior change is correct for all of them?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110316/197dbebd/attachment.pgp>

More information about the samba-technical mailing list