smbclient 3.5 can't connect to a Windows 7 server using NTLMv2 where smbclient 3.3, 3.4 and 3.6 can
Blohm, Guntram (I/FP-37, extern)
extern.guntram.blohm at audi.de
Thu Aug 23 12:10:00 MDT 2012
Found the bug, though it took me a while.
In samba version 3.4, source3/libsmb/smbencrypt.c says
if (!ntv2_owf_gen(nt_hash, user, domain, False, ntlm_v2_hash)) {
the False tells ntv2_owf_gen not to uppercase the domain name.
Samba version 3.5 moves the file to libcli/auth/smbencrypt.c and changes that line to
if (!ntv2_owf_gen(nt_hash, user, domain, true, ntlm_v2_hash)) {
and version 3.6 doesn't change anything there.
When the domain/workgroup name is fetched from the command line (in source3/libsmb/cliconnect.c), 3.4 has:
if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/')) ||
(p=strchr_m(user2,*lp_winbind_separator()))) {
*p = 0;
user = p+1;
workgroup = user2;
}
which does not change in 3.5, but 3.6 uses
if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/')) ||
(p=strchr_m(user2,*lp_winbind_separator()))) {
*p = 0;
user = p+1;
strupper_m(user2);
workgroup = user2;
}
So basically the problem is: version 3.4 (and below) passes a lowercase version (to be exact: same case that was given on the command line) of the workgroup name to the encryption subsystem, and also uses this lowercase version in the plain text part of the NTLMSSP message. 3.5 uses an uppercase workgroup name for encryption, but still passes the lowercase version of the workgroup in the plain text part, causing the NTLMv2 authentication to fail (at least against Win7 as server). 3.6 always uppercases the workgroup name, so NTLMv2 authentication works again.
I'd propose to copy the
strupper_m(user2);
line from 3.6 to 3.5, or are there any reasons not to do this? In the meanwhile, the workaround could be using all uppercase domain names on the command line (which is what I'm doing right now).
Guntram Blohm
More information about the samba-technical
mailing list