ntlmssp errors against El Capitan's SMB Server
Stefan Metzmacher
metze at samba.org
Thu Sep 1 19:34:05 UTC 2016
Am 01.09.2016 um 20:57 schrieb Jeremy Allison:
> On Thu, Sep 01, 2016 at 03:02:06PM +0200, Stefan Metzmacher wrote:
>>
>> These don't work as Jeremy's original patch also doesn't (at for me).
>
> Not surprised, my patch was deduced by "PURE LOGIC (tm)" without
> access to an El Capitan server :-). I'm trying to get access to
> one to figure out the exact details.
>
>> The HACK patch with the unknown OID is rejected with LOGON_FAILURE
>> by the Apple server, while the downgrade to the known NTLMSSP oid
>> works as expected against Windows.
>>
>> The attached patch (tmp.diff.txt) fixes the problem for me against
>> an Apple server, can anyone test against Azure?
>
> Did you test this patch running against the Apple server with
> smbclient requiring SMB signing ? With this patch that will fail
> right ?
>
> (we'll still expect the mechListMic and the server doesn't
> ever send it).
>
>> The new "HACK: source3/libsmb/cliconnect.c require GENSEC_FEATURE_SIGN"
>> patch
>> shows that still trigger the ACCESS_DENIED if GENSEC_FEATURE_SIGN is
>> requested.
>
> Does the Windows client fail against the Apple server is signing
> is required ? Or do they enforce a mechListMic check in this case ?
SMB signing uses just GENSEC_FEATURE_SESSION_KEY and not
GENSEC_FEATURE_SIGN,
so I don't think there're any difference with SMB signing,
but I'll test that tomorrow against Ralph's apple server.
So with tmp.diff.txt (alone) it all worked against it with SMB1 and SMB3,
without required signing.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160901/10dabd2a/signature.sig>
More information about the samba-technical
mailing list