[PATCH] Fix for a bug in MacOS X Sierra NTLMv2 processing.

Andrew Bartlett abartlet at samba.org
Thu Jun 22 21:03:11 UTC 2017

On Thu, 2017-06-22 at 11:40 -0700, Jeremy Allison via samba-technical
> Found at the plugfest. The Apple MacOS X Sierra SMB2
> server has a bug. It only supports NTLMv2 but doesn't
> negotiate it in the chal_flags returned to the client.
> Windows clients work as use NTLMv2 by default and ignore
> the negotiate but. Here is a patch that adds a tunable
> ntlmssp_client:force ntlmv2 (default off) that allows
> smbclient, libsmbclient and associated tools to still
> connect to the MacOS X Sierra SMB2 server.
> I'm ambivilent about this - this is a server bug, but
> until they fix it no Samba client tools can connect to
> this server without this fix.

We can safely force on the NTLM2 flag if we are using NTLMv2 as a
client (which isn't negotiated, it is configured).  It is required, so
we don't really gain anything by giving an error vs proceeding: we may
as well force it and see how we go.

> We get:
> ntlmssp_handle_neg_flags: Got challenge flags[0x22810205] - possible downgrade detected! missing_flags[0x00080000] - NT code 0x80090302
> SPNEGO(ntlmssp) login failed: NT code 0x80090302
> session setup failed: NT code 0x80090302
> Should I log a Samba bug ? Do we want this patch ?

I don't see why we want the option, but we should log the bug and have
a simpler patch to just force it on.

Naturally, get any final patch past metze :-)

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list