smbclient 3.5 can't connect to a Windows 7 server using NTLMv2 where smbclient 3.3, 3.4 and 3.6 can

Jeremy Allison jra at samba.org
Fri Aug 24 16:57:41 MDT 2012 

On Thu, Aug 23, 2012 at 06:10:00PM +0000, Blohm, Guntram (I/FP-37, extern) wrote:
> Found the bug, though it took me a while.
> 
> In samba version 3.4, source3/libsmb/smbencrypt.c says
> 
>         if (!ntv2_owf_gen(nt_hash, user, domain, False, ntlm_v2_hash)) {
> 
> the False tells ntv2_owf_gen not to uppercase the domain name.
> 
> Samba version 3.5 moves the file to libcli/auth/smbencrypt.c and changes that line to
> 
>         if (!ntv2_owf_gen(nt_hash, user, domain, true, ntlm_v2_hash)) {
> 
> and version 3.6 doesn't change anything there.
> 
> 
> When the domain/workgroup name is fetched from the command line (in source3/libsmb/cliconnect.c), 3.4 has:
> 
>         if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/')) ||
>             (p=strchr_m(user2,*lp_winbind_separator()))) {
>                 *p = 0;
>                 user = p+1;
>                 workgroup = user2;
>         }
> 
> which does not change in 3.5, but 3.6 uses
> 
>         if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/')) ||
>             (p=strchr_m(user2,*lp_winbind_separator()))) {
>                 *p = 0;
>                 user = p+1;
>                 strupper_m(user2);
>                 workgroup = user2;
>         }
> 
> So basically the problem is: version 3.4 (and below) passes a lowercase version (to be exact: same case that was given on the command line) of the workgroup name to the encryption subsystem, and also uses this lowercase version in the plain text part of the NTLMSSP message. 3.5 uses an uppercase workgroup name for encryption, but still passes the lowercase version of the workgroup in the plain text part, causing the NTLMv2 authentication to fail (at least against Win7 as server). 3.6 always uppercases the workgroup name, so NTLMv2 authentication works again.
> 
> I'd propose to copy the
> 
>                 strupper_m(user2);
> 
> line from 3.6 to 3.5, or are there any reasons not to do this? In the meanwhile, the workaround could be using all uppercase domain names on the command line (which is what I'm doing right now).

Ok, the fix has gone into master, and git-am fixes are
attached to bug :

https://bugzilla.samba.org/show_bug.cgi?id=9117

for review for 3.6.next and 3.5.next. Thanks a *LOT* for
your help on this !

Jeremy.

More information about the samba-technical mailing list