ntlmssp errors against El Capitan's SMB Server

Simo simo at samba.org
Tue Aug 30 19:54:33 UTC 2016


On Tue, 2016-08-30 at 10:52 -0700, Jeremy Allison wrote:
> On Tue, Aug 30, 2016 at 01:35:07PM -0400, Simo wrote:
> > 
> > On Sun, 2016-08-28 at 16:37 +0200, Christian Ambach wrote:
> > > 
> > > Am 26.08.16 um 01:56 schrieb Jeremy Allison:
> > > 
> > > > 
> > > > 
> > > > Trouble is the server is saying it *does* support the
> > > > NTLMSSP_NEGOTIATE_SIGN
> > > > flag in the reply.
> > > > 
> > > > Can you get a Windows 8 or above client capture trace
> > > > connecting to
> > > > this same server to see "what windows does (tm)".
> > > 
> > > Windows 7 and Windows 10 happily finish connecting, see attach
> > > pcap.
> > > I have run git bisect and it pointed me to commit 0d641ee36ae2c.
> > > CVE-2016-2110: auth/ntlmssp: implement new_spnego support
> > > including
> > > MIC
> > > generation (as client)
> > > 
> > > So the rules were tightened because of Badlock. Maybe too tight?
> > > 
> > > I have also found an Ubuntu bug about the same:
> > > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1579540
> > > 
> > > Setting ntlmssp_client:force_old_spnego = yes to helps,
> > > but this will then affect all client connections.
> > > 
> > > Which spec applies here to indicate that the server must supply a
> > > signature?
> > 
> > The pcap file from the previous email shows there is a signature,
> > what
> > am I missing here ?
> 
> It's the final reply from server to client that is missing the sig.
> 
> We as the client are dropping the connection as we don't then trust
> the server.

This is not how spnego is supposed to work, once a mechListMIC is
returned by one of the parties and it checks out then you do not add
another one on the way back.

Whether the client or the server send a mechListMIC depends on the
mechanism selected and how many round trips it implies.

Going by memory but IIRC:
If kerberos is used usually it's the server that send the mechlistMIC
as the last leg is done at the server. In case of NTLM the client needs
to send back one more token so it is the client that generates the
mechlistMIC.

I may be wrong on some minor detail or the directions :-)

Simo.



More information about the samba-technical mailing list