[PATCH] Fix for a bug in MacOS X Sierra NTLMv2 processing.
Andrew Bartlett
abartlet at samba.org
Thu Jun 22 21:03:11 UTC 2017
On Thu, 2017-06-22 at 11:40 -0700, Jeremy Allison via samba-technical
wrote:
> Found at the plugfest. The Apple MacOS X Sierra SMB2
> server has a bug. It only supports NTLMv2 but doesn't
> negotiate it in the chal_flags returned to the client.
>
> Windows clients work as use NTLMv2 by default and ignore
> the negotiate but. Here is a patch that adds a tunable
> ntlmssp_client:force ntlmv2 (default off) that allows
> smbclient, libsmbclient and associated tools to still
> connect to the MacOS X Sierra SMB2 server.
>
> I'm ambivilent about this - this is a server bug, but
> until they fix it no Samba client tools can connect to
> this server without this fix.
We can safely force on the NTLM2 flag if we are using NTLMv2 as a
client (which isn't negotiated, it is configured). It is required, so
we don't really gain anything by giving an error vs proceeding: we may
as well force it and see how we go.
> We get:
>
> ntlmssp_handle_neg_flags: Got challenge flags[0x22810205] - possible downgrade detected! missing_flags[0x00080000] - NT code 0x80090302
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> SPNEGO(ntlmssp) login failed: NT code 0x80090302
> session setup failed: NT code 0x80090302
>
> Should I log a Samba bug ? Do we want this patch ?
I don't see why we want the option, but we should log the bug and have
a simpler patch to just force it on.
Naturally, get any final patch past metze :-)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list