smbclient 3.5 can't connect to a Windows 7 server using NTLMv2 where smbclient 3.3, 3.4 and 3.6 can

Andrew Bartlett abartlet at samba.org
Thu Aug 23 14:54:04 MDT 2012


On Thu, 2012-08-23 at 18:10 +0000, Blohm, Guntram (I/FP-37, extern)
wrote:
> Found the bug, though it took me a while.
> 
> In samba version 3.4, source3/libsmb/smbencrypt.c says
> 
>         if (!ntv2_owf_gen(nt_hash, user, domain, False, ntlm_v2_hash)) {
> 
> the False tells ntv2_owf_gen not to uppercase the domain name.
> 
> Samba version 3.5 moves the file to libcli/auth/smbencrypt.c and changes that line to
> 
>         if (!ntv2_owf_gen(nt_hash, user, domain, true, ntlm_v2_hash)) {
> 
> and version 3.6 doesn't change anything there.
> 
> 
> When the domain/workgroup name is fetched from the command line (in source3/libsmb/cliconnect.c), 3.4 has:
> 
>         if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/')) ||
>             (p=strchr_m(user2,*lp_winbind_separator()))) {
>                 *p = 0;
>                 user = p+1;
>                 workgroup = user2;
>         }
> 
> which does not change in 3.5, but 3.6 uses
> 
>         if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/')) ||
>             (p=strchr_m(user2,*lp_winbind_separator()))) {
>                 *p = 0;
>                 user = p+1;
>                 strupper_m(user2);
>                 workgroup = user2;
>         }
> 
> So basically the problem is: version 3.4 (and below) passes a lowercase version (to be exact: same case that was given on the command line) of the workgroup name to the encryption subsystem, and also uses this lowercase version in the plain text part of the NTLMSSP message. 3.5 uses an uppercase workgroup name for encryption, but still passes the lowercase version of the workgroup in the plain text part, causing the NTLMv2 authentication to fail (at least against Win7 as server). 3.6 always uppercases the workgroup name, so NTLMv2 authentication works again.
> 
> I'd propose to copy the
> 
>                 strupper_m(user2);
> 
> line from 3.6 to 3.5, or are there any reasons not to do this? In the meanwhile, the workaround could be using all uppercase domain names on the command line (which is what I'm doing right now).

You will need to file a bug and attach a patch so it's really clear what
you are proposing, but your reasoning seems entirely correct and once
you do I'll be happy to ACK this so it can get into 3.5.

If you can prepare it as a patch using git commit and git-format-patch
-1 then it is even easier.

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list