Bug 12252 - [PATCH] "ntlm_auth --allow-mschapv2" is broken
[PATCH] "ntlm_auth --allow-mschapv2" is broken
Status: ASSIGNED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.5.5
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-10 19:22 UTC by Mantas M.
Modified: 2017-02-23 11:04 UTC (History)
4 users (show)

See Also:


Attachments
patch (1.26 KB, patch)
2016-09-10 19:22 UTC, Mantas M.
no flags Details
patch halfway-to-v2 (5.50 KB, patch)
2017-01-03 08:40 UTC, Mantas M.
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mantas M. 2016-09-10 19:22:59 UTC
Created attachment 12456 [details]
patch

As mentioned in the release notes, Samba 4.5.0 disables 'ntlm auth' by default, which breaks MSCHAPv2 auth. I was looking for a way to fix MSCHAPv2 without having to globally re-enable NTLMv1.

Commit 0b500d413c5b76188c0c566318be7079b777237c adds `ntlm_auth --allow-mschapv2` for client-side support for MSV1_0_ALLOW_MSVCHAPV2, but doesn't implement the server side. (It seems this was mainly for authenticating against real Windows servers?)

Attached is my first (working) attempt to implement handling of this flag.
Comment 1 Andrew Bartlett 2017-01-03 05:34:59 UTC
What we need is a variant on this patch that changes 'ntlm auth' into a tri-state parameter, with a new, still off-by-default option of 'mschapv2-only', that will allow NTLM authentication only for those domain member clients that promise they are really providing MSCHAPv2 authentication services.

This should at least allow the other uses of NTLM authentication to be disabled.

To make the option, change:
type="boolean" to
type="enum"
in docs-xml/smbdotconf/security/ntlmauth.xml and then pattern on other enum types in the loadparm code.

The main task actually will be to write a test to confirm we allow/deny the right things in the right cases with the new option.
Comment 2 Mantas M. 2017-01-03 08:40:39 UTC
Created attachment 12789 [details]
patch halfway-to-v2

Something like this, I assume? (The combinations were manually tested, but I can't quite wrap my head around the Samba testsuite...)
Comment 3 Andrew Bartlett 2017-01-30 02:31:03 UTC
Yes, with testing this would be the correct approach!
Comment 4 Björn Jacke 2017-02-23 11:04:23 UTC
I think it is too much to ask from non samba core developers to dive into our testsuite infrastructure. Andrew: as Mantas provided the patch and already said that he doesn't get through the testsuit, would you want to add a test maybe?