Bug 10531 - NTLMv2 reports NT_STATUS_INVALID_PARAMETER
Summary: NTLMv2 reports NT_STATUS_INVALID_PARAMETER
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient (show other bugs)
Version: 4.1.6
Hardware: x64 Linux
: P5 trivial (vote)
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-01 11:28 UTC by Julien BALLET
Modified: 2017-06-29 06:45 UTC (History)
2 users (show)

See Also:

Attachments
Trace of failing NTLMv auth (1.21 KB, application/octet-stream)
2014-04-02 12:23 UTC, Julien BALLET 		no flags Details
Replaced NTLMv2 by LMv2 (1.67 KB, application/octet-stream)
2014-04-02 12:25 UTC, Julien BALLET 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Julien BALLET 2014-04-01 11:28:30 UTC 
Hi,

I'm writing a small smb library with very a very little feature-set. I'm sometimes using smbclient as a reference. I've been working over the last few days on having a working NTLM2 implementation in my client.

I've noticed that smbclient authentication fails with NT_STATUS_INVALID_PARAMETER as a reply to the Setup AndX Command when i try to authenticate on a Win7 box/
I'm using the following configuration for smbclient :

[global]
client NTLMv2 auth = yes
client signing = disabled # Useless i guess
client use spnego = false

It's worth mentioning that without this idiotic configuration smbclient works perfectly, so this is not really a bug report.

 
But since i was wanting to have a way to authenticate on Win7 without having to support GSSAPI/SPNEGO/Extended security i've been experimenting a little bit and found a way to make it work. Long story short, Win7 seems to refuse the old way of providing NTLM2 Response, but it accepts without any problem a LM2 response in the ANSI Password field provided you leave the Unicode Password field empty.

I'm creating this ticket, in the unlikely occurence that you weren't aware of that, as a smb quirk documentation contribution. Please excuse me for the loss of time if this is already known by the Samba team or if there's no point in supporting this (likely).

Btw, i can provide you the network trace if you want to.
Comment 1 Jeremy Allison 2014-04-02 00:16:41 UTC 
Yes, a network trace of it failing to connect and then connecting with your change would be most interesting.

Cheers,

Jeremy.
Comment 2 Julien BALLET 2014-04-02 12:23:06 UTC 
Created attachment 9824 [details]
Trace of failing NTLMv auth

Produced with: 

$> smbclient -s ref/smb_ntlmv2.conf -m NT1 -U 'CERBERE\BDSM' '\\CERBERE\Test' qweasd42

With smb_ntlmv2.conf being :
[global]
client NTLMv2 auth = yes
client signing = disabled
client use spnego = false
Comment 3 Julien BALLET 2014-04-02 12:25:22 UTC 
Created attachment 9825 [details]
Replaced NTLMv2 by LMv2

On my simple toy implementation, i've removed NTLMv2 hash and replaced it by a LM2 Hash, as described here: http://ubiqx.org/cifs/SMB.html, in the ANSI Password field.
Comment 4 Andrew Bartlett 2017-06-27 18:34:29 UTC 
Samba will now do the samba unless you set 'raw ntlmv2 auth = yes' for security reasons (provides some support preventing response hash forwarding). 

Thanks for the hint on LMv2, this odd little sub-protocol is often forgotten. 

I don't think we will be going there however, we really need bare NTLM to die :-)