Hi, I'm writing a small smb library with very a very little feature-set. I'm sometimes using smbclient as a reference. I've been working over the last few days on having a working NTLM2 implementation in my client. I've noticed that smbclient authentication fails with NT_STATUS_INVALID_PARAMETER as a reply to the Setup AndX Command when i try to authenticate on a Win7 box/ I'm using the following configuration for smbclient : [global] client NTLMv2 auth = yes client signing = disabled # Useless i guess client use spnego = false It's worth mentioning that without this idiotic configuration smbclient works perfectly, so this is not really a bug report. But since i was wanting to have a way to authenticate on Win7 without having to support GSSAPI/SPNEGO/Extended security i've been experimenting a little bit and found a way to make it work. Long story short, Win7 seems to refuse the old way of providing NTLM2 Response, but it accepts without any problem a LM2 response in the ANSI Password field provided you leave the Unicode Password field empty. I'm creating this ticket, in the unlikely occurence that you weren't aware of that, as a smb quirk documentation contribution. Please excuse me for the loss of time if this is already known by the Samba team or if there's no point in supporting this (likely). Btw, i can provide you the network trace if you want to.
Yes, a network trace of it failing to connect and then connecting with your change would be most interesting. Cheers, Jeremy.
Created attachment 9824 [details] Trace of failing NTLMv auth Produced with: $> smbclient -s ref/smb_ntlmv2.conf -m NT1 -U 'CERBERE\BDSM' '\\CERBERE\Test' qweasd42 With smb_ntlmv2.conf being : [global] client NTLMv2 auth = yes client signing = disabled client use spnego = false
Created attachment 9825 [details] Replaced NTLMv2 by LMv2 On my simple toy implementation, i've removed NTLMv2 hash and replaced it by a LM2 Hash, as described here: http://ubiqx.org/cifs/SMB.html, in the ANSI Password field.
Samba will now do the samba unless you set 'raw ntlmv2 auth = yes' for security reasons (provides some support preventing response hash forwarding). Thanks for the hint on LMv2, this odd little sub-protocol is often forgotten. I don't think we will be going there however, we really need bare NTLM to die :-)