[PR PATCH] Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth

github at samba.org github at samba.org
Thu Dec 10 09:39:36 UTC 2015 

There is a new pull request by qnet-herwin against master on the Samba Samba Github repository

https://github.com/Quarantainenet/samba MSV1_0_ALLOW_MSVCHAPV2_ntlm_auth
https://github.com/samba-team/samba/pull/45

Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth
An implementation of https://lists.samba.org/archive/samba/2012-March/166497.html (which has been discussed in 2012, but was never implemented).

It has been tested on a Debian Jessie system with this patch added to the Debian package (which is currently 4.1.17). Even though this is Samba 4, the ntlm_auth installed is the one from Samba 3 (yes, it surprised me too). The backend was a machine with Windows 2012R2.

It was first tested with the local security policy 'Network Security: LAN Manager authentication level' setting changed to 'Send NTLMv2 Response Only' (allow ntlm v1). This way we are able to authenticate with and without the MSV1_0_ALLOW_MSVCHAPV2 flag (as expected).

After the basic step has been verified, the local security policy 'Network Security: LAN Manager authentication level' setting was changed to 'Send NTLMv2 Response Only. Refuse LM & NTLM' (only allow ntlm v2). The behaviour now changed according to the MSV1_0_ALLOW_MSVCHAPV2 flag (again: as expected).

```
$ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain=
Logon failure (0xc000006d)
$ ntlm_auth --request-nt-key --username=XXXXXXXXXXXXX --challenge=XXXXXXXXXXXXXXXXX --nt-response=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --domain= --allow-mschapv2
NT_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
```

The changes in `wbclient.h` are intended for programs that use libwinbind directly instead of authenticating via `ntlm_auth`. I intend to use that within FreeRADIUS (see https://bugzilla.samba.org/show_bug.cgi?id=11149).

A patch file from https://github.com/samba-team/samba/pull/45.patch is attached
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: github-pr-MSV1_0_ALLOW_MSVCHAPV2_ntlm_auth-45.patch
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151210/fb499a62/github-pr-MSV1_0_ALLOW_MSVCHAPV2_ntlm_auth-45.patch>

More information about the samba-technical mailing list