Fwd: [PATCH 1/7] cifs: Bypass windows extended security for ntlmv2 negotiate
Andrew Bartlett
abartlet at samba.org
Thu Aug 21 20:32:22 MDT 2014
On Wed, 2014-08-20 at 23:51 -0500, Steve French wrote:
> This is an unusual sounding issue. Any comments on this from the auth experts?
>
> Seems better to investigate this more if we end up enforcing a "must
> be within 5 minutes" threshold instead of this patch. Have we done a
> dochelp on this before?
I am certainly nervous about this patch, as I've not ever seen this
before. The thing that makes me feel particularly odd about this is
that: In general, NTLMSSP clients don't have the server's time, and
certainly don't have the domain controller's time. (That CIFS provides
this does not mean we should use it, NTLMSSP is a general protocol and
adding CIFS-specific hacks indicates we are understanding it wrong, in
my experience).
BTW, the domain controller is the only element here that could check the
embedded time, but I'll grant that typically servers are better in sync
with each other than this embedded device might be.
The 5 mins stuff probably refers to Kerberos, which does have such a
time limit. I've never seen NTLMSSP fail against windows due to clock
skew.
I would like to see much more investigation here before this is done,
because if you just trust the server's time and if you need to, to pass
a security check, you override that check. We need to understand why it
is in place.
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list