ntlmssp errors against El Capitan's SMB Server
Jeremy Allison
jra at samba.org
Tue Aug 30 17:52:00 UTC 2016
On Tue, Aug 30, 2016 at 01:35:07PM -0400, Simo wrote:
> On Sun, 2016-08-28 at 16:37 +0200, Christian Ambach wrote:
> > Am 26.08.16 um 01:56 schrieb Jeremy Allison:
> >
> > >
> > > Trouble is the server is saying it *does* support the
> > > NTLMSSP_NEGOTIATE_SIGN
> > > flag in the reply.
> > >
> > > Can you get a Windows 8 or above client capture trace connecting to
> > > this same server to see "what windows does (tm)".
> >
> > Windows 7 and Windows 10 happily finish connecting, see attach pcap.
> > I have run git bisect and it pointed me to commit 0d641ee36ae2c.
> > CVE-2016-2110: auth/ntlmssp: implement new_spnego support including
> > MIC
> > generation (as client)
> >
> > So the rules were tightened because of Badlock. Maybe too tight?
> >
> > I have also found an Ubuntu bug about the same:
> > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1579540
> >
> > Setting ntlmssp_client:force_old_spnego = yes to helps,
> > but this will then affect all client connections.
> >
> > Which spec applies here to indicate that the server must supply a
> > signature?
>
> The pcap file from the previous email shows there is a signature, what
> am I missing here ?
It's the final reply from server to client that is missing the sig.
We as the client are dropping the connection as we don't then trust
the server.
More information about the samba-technical
mailing list