Bug 12252 - [PATCH] "ntlm_auth --allow-mschapv2" is broken
Summary: [PATCH] "ntlm_auth --allow-mschapv2" is broken
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.5.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2016-09-10 19:22 UTC by Mantas Mikulėnas (grawity)
Modified: 2017-07-04 11:46 UTC (History)
4 users (show)

See Also:

patch (1.26 KB, patch)
2016-09-10 19:22 UTC, Mantas Mikulėnas (grawity)
no flags Details
patch halfway-to-v2 (5.50 KB, patch)
2017-01-03 08:40 UTC, Mantas Mikulėnas (grawity)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mantas Mikulėnas (grawity) 2016-09-10 19:22:59 UTC
Created attachment 12456 [details]

As mentioned in the release notes, Samba 4.5.0 disables 'ntlm auth' by default, which breaks MSCHAPv2 auth. I was looking for a way to fix MSCHAPv2 without having to globally re-enable NTLMv1.

Commit 0b500d413c5b76188c0c566318be7079b777237c adds `ntlm_auth --allow-mschapv2` for client-side support for MSV1_0_ALLOW_MSVCHAPV2, but doesn't implement the server side. (It seems this was mainly for authenticating against real Windows servers?)

Attached is my first (working) attempt to implement handling of this flag.
Comment 1 Andrew Bartlett 2017-01-03 05:34:59 UTC
What we need is a variant on this patch that changes 'ntlm auth' into a tri-state parameter, with a new, still off-by-default option of 'mschapv2-only', that will allow NTLM authentication only for those domain member clients that promise they are really providing MSCHAPv2 authentication services.

This should at least allow the other uses of NTLM authentication to be disabled.

To make the option, change:
type="boolean" to
in docs-xml/smbdotconf/security/ntlmauth.xml and then pattern on other enum types in the loadparm code.

The main task actually will be to write a test to confirm we allow/deny the right things in the right cases with the new option.
Comment 2 Mantas Mikulėnas (grawity) 2017-01-03 08:40:39 UTC
Created attachment 12789 [details]
patch halfway-to-v2

Something like this, I assume? (The combinations were manually tested, but I can't quite wrap my head around the Samba testsuite...)
Comment 3 Andrew Bartlett 2017-01-30 02:31:03 UTC
Yes, with testing this would be the correct approach!
Comment 4 Björn Jacke 2017-02-23 11:04:23 UTC
I think it is too much to ask from non samba core developers to dive into our testsuite infrastructure. Andrew: as Mantas provided the patch and already said that he doesn't get through the testsuit, would you want to add a test maybe?
Comment 5 Andrew Bartlett 2017-06-28 09:53:45 UTC
This should be easier now we have tests demonstrating how to operate SamLogonEx from python.
Comment 6 Andrew Bartlett 2017-07-04 11:44:57 UTC
Fixed by 0623a21250b9c0f5152a003078a4bc4428a284c2 in master for 4.7!

Thanks for the patch and for your persistence on this.
Comment 7 Andrew Bartlett 2017-07-04 11:46:52 UTC
Sorry, the commit in master is d139d77ae3dbc490525ac94f46276d790bc2d879.