[PATCH] BUG 9817: Fix 'map untrusted to domain' with NTLMv2
asn at samba.org
Fri Apr 19 08:39:01 MDT 2013
Lets assume we have the following test setup.
discworld_pdc (Samba PDC)
discworld_samba (domain member with 'map untrusted to domain = yes')
If we connect from discworld_client to discworld_samba (master or 3.6) with
the following command:
smbclient -U WURSTBROT+bob%secret //samba.discworld.site/wurst
We get an error that the password is wrong. If we do the same the the winxp
member, then we can successfully log in.
The second response sent by NTLMv2 uses a variable length client challenge
which includes the domain name:
v2-Hash = HMAC-MD5(password, user name, domain name)
We have currently a bug that with "map untrusted to domain" we change the
domain name of the response to the mapped domain name and send it to the PDC.
So if the PDC tries to build the v2 hash it uses the mapped domain name and
fails. This is more or less a man in the middle attack.
The following patch fixes the bug in 3.6 and newer and sends the doamin name
set by the client the PDC.
Andreas Schneider GPG-ID: F33E3FC6
Samba Team asn at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1295 bytes
Desc: not available
More information about the samba-technical