The Samba-Bugzilla – Bug 12252
[PATCH] "ntlm_auth --allow-mschapv2" is broken
Last modified: 2017-02-23 11:04:23 UTC
Created attachment 12456 [details]
As mentioned in the release notes, Samba 4.5.0 disables 'ntlm auth' by default, which breaks MSCHAPv2 auth. I was looking for a way to fix MSCHAPv2 without having to globally re-enable NTLMv1.
Commit 0b500d413c5b76188c0c566318be7079b777237c adds `ntlm_auth --allow-mschapv2` for client-side support for MSV1_0_ALLOW_MSVCHAPV2, but doesn't implement the server side. (It seems this was mainly for authenticating against real Windows servers?)
Attached is my first (working) attempt to implement handling of this flag.
What we need is a variant on this patch that changes 'ntlm auth' into a tri-state parameter, with a new, still off-by-default option of 'mschapv2-only', that will allow NTLM authentication only for those domain member clients that promise they are really providing MSCHAPv2 authentication services.
This should at least allow the other uses of NTLM authentication to be disabled.
To make the option, change:
in docs-xml/smbdotconf/security/ntlmauth.xml and then pattern on other enum types in the loadparm code.
The main task actually will be to write a test to confirm we allow/deny the right things in the right cases with the new option.
Created attachment 12789 [details]
Something like this, I assume? (The combinations were manually tested, but I can't quite wrap my head around the Samba testsuite...)
Yes, with testing this would be the correct approach!
I think it is too much to ask from non samba core developers to dive into our testsuite infrastructure. Andrew: as Mantas provided the patch and already said that he doesn't get through the testsuit, would you want to add a test maybe?