[PATCH] BUG 9817: Fix 'map untrusted to domain' with NTLMv2

Andreas Schneider asn at samba.org
Fri Apr 19 08:39:01 MDT 2013


Lets assume we have the following test setup.

discworld_pdc (Samba PDC)

discworld_samba (domain member with 'map untrusted to domain = yes')


If we connect from discworld_client to discworld_samba (master or 3.6) with 
the following command:

  smbclient -U WURSTBROT+bob%secret //samba.discworld.site/wurst

We get an error that the password is wrong. If we do the same the the winxp 
member, then we can successfully log in.

The second response sent by NTLMv2 uses a variable length client challenge 
which includes the domain name:

v2-Hash = HMAC-MD5(password, user name, domain name)

We have currently a bug that with "map untrusted to domain" we change the 
domain name of the response to the mapped domain name and send it to the PDC. 
So if the PDC tries to build the v2 hash it uses the mapped domain name and 
fails. This is more or less a man in the middle attack.

The following patch fixes the bug in 3.6 and newer and sends the doamin name 
set by the client the PDC.


	-- andreas

Andreas Schneider                   GPG-ID: F33E3FC6
Samba Team                             asn at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-BUG-9817-Fix-map-untrusted-to-domain-with-NTLMv2.patch
Type: text/x-patch
Size: 1295 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130419/b8e07887/attachment.bin>

More information about the samba-technical mailing list