[PATCH] Fix for a bug in MacOS X Sierra NTLMv2 processing.

Alexander Bokovoy ab at samba.org
Thu Jun 22 20:37:04 UTC 2017


On to, 22 kesä 2017, Jeremy Allison via samba-technical wrote:
> On Thu, Jun 22, 2017 at 09:47:08PM +0200, Ralph Böhme wrote:
> > On Thu, Jun 22, 2017 at 11:40:55AM -0700, Jeremy Allison wrote:
> > > Found at the plugfest. The Apple MacOS X Sierra SMB2
> > > server has a bug. It only supports NTLMv2 but doesn't
> > > negotiate it in the chal_flags returned to the client.
> > > 
> > > Windows clients work as use NTLMv2 by default and ignore
> > > the negotiate but. Here is a patch that adds a tunable
> > > ntlmssp_client:force ntlmv2 (default off) that allows
> > > smbclient, libsmbclient and associated tools to still
> > > connect to the MacOS X Sierra SMB2 server.
> > > 
> > > I'm ambivilent about this - this is a server bug, but
> > > until they fix it no Samba client tools can connect to
> > > this server without this fix.
> > > 
> > > We get:
> > > 
> > > ntlmssp_handle_neg_flags: Got challenge flags[0x22810205] - possible downgrade detected! missing_flags[0x00080000] - NT code 0x80090302
> > >   NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> > > SPNEGO(ntlmssp) login failed: NT code 0x80090302
> > > session setup failed: NT code 0x80090302
> > 
> > works for me against 10.12.5 *without* the patch:
> > 
> > [slow at kazak scratch]$ ./bin/smbclient -msmb3 -U slow //10.10.11.1/slow -c exit
> > Enter SLOW\slow's password: 
> > Domain=[INTI] OS=[unknown] Server=[unknown]
> > [slow at kazak scratch]$ 
> 
> I'm here at the plugfest testing against the
> latest server and a system that claims to be
> Apple MacOS X Sierra. I can't connect without
> the patch to both servers with the error I posted.
> These servers not be what is claimed, but otherwise
> I can't explain it.
On June 6th there was a developer release of new macOS build. I guess we
are talking about it. I have it installed at home but it is offline
right now so no chance to test this week.

-- 
/ Alexander Bokovoy



More information about the samba-technical mailing list