[PATCH] BUG 9817: Fix 'map untrusted to domain' with NTLMv2
Andreas Schneider
asn at samba.org
Fri Apr 19 08:39:01 MDT 2013
Hello,
Lets assume we have the following test setup.
discworld_pdc (Samba PDC)
discworld_samba (domain member with 'map untrusted to domain = yes')
discworld_winxp
discworld_client
If we connect from discworld_client to discworld_samba (master or 3.6) with
the following command:
smbclient -U WURSTBROT+bob%secret //samba.discworld.site/wurst
We get an error that the password is wrong. If we do the same the the winxp
member, then we can successfully log in.
The second response sent by NTLMv2 uses a variable length client challenge
which includes the domain name:
v2-Hash = HMAC-MD5(password, user name, domain name)
We have currently a bug that with "map untrusted to domain" we change the
domain name of the response to the mapped domain name and send it to the PDC.
So if the PDC tries to build the v2 hash it uses the mapped domain name and
fails. This is more or less a man in the middle attack.
The following patch fixes the bug in 3.6 and newer and sends the doamin name
set by the client the PDC.
Cheers,
-- andreas
--
Andreas Schneider GPG-ID: F33E3FC6
Samba Team asn at samba.org
www.samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-BUG-9817-Fix-map-untrusted-to-domain-with-NTLMv2.patch
Type: text/x-patch
Size: 1295 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130419/b8e07887/attachment.bin>
More information about the samba-technical
mailing list