[PATCH] Fix for a bug in MacOS X Sierra NTLMv2 processing.
Jeremy Allison
jra at samba.org
Thu Jun 22 21:06:16 UTC 2017
On Fri, Jun 23, 2017 at 09:03:11AM +1200, Andrew Bartlett wrote:
> On Thu, 2017-06-22 at 11:40 -0700, Jeremy Allison via samba-technical
> wrote:
> > Found at the plugfest. The Apple MacOS X Sierra SMB2
> > server has a bug. It only supports NTLMv2 but doesn't
> > negotiate it in the chal_flags returned to the client.
> >
> > Windows clients work as use NTLMv2 by default and ignore
> > the negotiate but. Here is a patch that adds a tunable
> > ntlmssp_client:force ntlmv2 (default off) that allows
> > smbclient, libsmbclient and associated tools to still
> > connect to the MacOS X Sierra SMB2 server.
> >
> > I'm ambivilent about this - this is a server bug, but
> > until they fix it no Samba client tools can connect to
> > this server without this fix.
>
> We can safely force on the NTLM2 flag if we are using NTLMv2 as a
> client (which isn't negotiated, it is configured). It is required, so
> we don't really gain anything by giving an error vs proceeding: we may
> as well force it and see how we go.
This is also how Windows clients behave.
> > ntlmssp_handle_neg_flags: Got challenge flags[0x22810205] - possible downgrade detected! missing_flags[0x00080000] - NT code 0x80090302
> > NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> > SPNEGO(ntlmssp) login failed: NT code 0x80090302
> > session setup failed: NT code 0x80090302
> >
> > Should I log a Samba bug ? Do we want this patch ?
>
> I don't see why we want the option, but we should log the bug and have
> a simpler patch to just force it on.
>
> Naturally, get any final patch past metze :-)
Yeah, we could remove the:
gensec_setting_bool(gensec_security->settings,
+ "ntlmssp_client",
+ "force ntlmv2",
+ false)) {
part and just force it on if ntlmssp_state->use_ntlmv2
is true.
Metze, comments ?
More information about the samba-technical
mailing list