[PATCH] Fix for a bug in MacOS X Sierra NTLMv2 processing.

Ralph Böhme slow at samba.org
Thu Jun 22 19:57:39 UTC 2017


On Thu, Jun 22, 2017 at 01:26:38PM -0700, Jeremy Allison wrote:
> On Thu, Jun 22, 2017 at 09:47:08PM +0200, Ralph Böhme wrote:
> > On Thu, Jun 22, 2017 at 11:40:55AM -0700, Jeremy Allison wrote:
> > > Found at the plugfest. The Apple MacOS X Sierra SMB2
> > > server has a bug. It only supports NTLMv2 but doesn't
> > > negotiate it in the chal_flags returned to the client.
> > > 
> > > Windows clients work as use NTLMv2 by default and ignore
> > > the negotiate but. Here is a patch that adds a tunable
> > > ntlmssp_client:force ntlmv2 (default off) that allows
> > > smbclient, libsmbclient and associated tools to still
> > > connect to the MacOS X Sierra SMB2 server.
> > > 
> > > I'm ambivilent about this - this is a server bug, but
> > > until they fix it no Samba client tools can connect to
> > > this server without this fix.
> > > 
> > > We get:
> > > 
> > > ntlmssp_handle_neg_flags: Got challenge flags[0x22810205] - possible downgrade detected! missing_flags[0x00080000] - NT code 0x80090302
> > >   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> > > SPNEGO(ntlmssp) login failed: NT code 0x80090302
> > > session setup failed: NT code 0x80090302
> > 
> > works for me against 10.12.5 *without* the patch:
> > 
> > [slow at kazak scratch]$ ./bin/smbclient -msmb3 -U slow //10.10.11.1/slow -c exit
> > Enter SLOW\slow's password: 
> > Domain=[INTI] OS=[unknown] Server=[unknown]
> > [slow at kazak scratch]$ 
> 
> I'm here at the plugfest testing against the
> latest server and a system that claims to be
> Apple MacOS X Sierra. I can't connect without
> the patch to both servers with the error I posted.
> These servers not be what is claimed, but otherwise
> I can't explain it.
> 
> Maybe both are running unreleased code with a bug,
> but there is certainly an issue here, either currently
> or coming soon ! :-).

:)

I'd say if it's a bug in pre-release software we shouldn't ship a fix yet. Let's
wait until the bug hits the street (or they ship a fixed version).

Cheerio!
-slow



More information about the samba-technical mailing list