[PATCH] Fix for a bug in MacOS X Sierra NTLMv2 processing.

Jeremy Allison jra at samba.org
Thu Jun 22 21:06:16 UTC 2017

On Fri, Jun 23, 2017 at 09:03:11AM +1200, Andrew Bartlett wrote:
> On Thu, 2017-06-22 at 11:40 -0700, Jeremy Allison via samba-technical
> wrote:
> > Found at the plugfest. The Apple MacOS X Sierra SMB2
> > server has a bug. It only supports NTLMv2 but doesn't
> > negotiate it in the chal_flags returned to the client.
> > 
> > Windows clients work as use NTLMv2 by default and ignore
> > the negotiate but. Here is a patch that adds a tunable
> > ntlmssp_client:force ntlmv2 (default off) that allows
> > smbclient, libsmbclient and associated tools to still
> > connect to the MacOS X Sierra SMB2 server.
> > 
> > I'm ambivilent about this - this is a server bug, but
> > until they fix it no Samba client tools can connect to
> > this server without this fix.
> We can safely force on the NTLM2 flag if we are using NTLMv2 as a
> client (which isn't negotiated, it is configured).  It is required, so
> we don't really gain anything by giving an error vs proceeding: we may
> as well force it and see how we go.

This is also how Windows clients behave.

> > ntlmssp_handle_neg_flags: Got challenge flags[0x22810205] - possible downgrade detected! missing_flags[0x00080000] - NT code 0x80090302
> > SPNEGO(ntlmssp) login failed: NT code 0x80090302
> > session setup failed: NT code 0x80090302
> > 
> > Should I log a Samba bug ? Do we want this patch ?
> I don't see why we want the option, but we should log the bug and have
> a simpler patch to just force it on.
> Naturally, get any final patch past metze :-)

Yeah, we could remove the:

+                                       "ntlmssp_client",
+                                       "force ntlmv2",
+                                       false)) {

part and just force it on if ntlmssp_state->use_ntlmv2
is true.

Metze, comments ?

More information about the samba-technical mailing list