Bug 12252 - [PATCH] "ntlm_auth --enable-mschapv2" is broken
[PATCH] "ntlm_auth --enable-mschapv2" is broken
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
All All
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-09-10 19:22 UTC by Mantas M.
Modified: 2017-01-03 08:40 UTC (History)
1 user (show)

See Also:

patch (1.26 KB, patch)
2016-09-10 19:22 UTC, Mantas M.
no flags Details
patch halfway-to-v2 (5.50 KB, patch)
2017-01-03 08:40 UTC, Mantas M.
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mantas M. 2016-09-10 19:22:59 UTC
Created attachment 12456 [details]

As mentioned in the release notes, Samba 4.5.0 disables 'ntlm auth' by default, which breaks MSCHAPv2 auth. I was looking for a way to fix MSCHAPv2 without having to globally re-enable NTLMv1.

Commit 0b500d413c5b76188c0c566318be7079b777237c adds `ntlm_auth --allow-mschapv2` for client-side support for MSV1_0_ALLOW_MSVCHAPV2, but doesn't implement the server side. (It seems this was mainly for authenticating against real Windows servers?)

Attached is my first (working) attempt to implement handling of this flag.
Comment 1 Andrew Bartlett 2017-01-03 05:34:59 UTC
What we need is a variant on this patch that changes 'ntlm auth' into a tri-state parameter, with a new, still off-by-default option of 'mschapv2-only', that will allow NTLM authentication only for those domain member clients that promise they are really providing MSCHAPv2 authentication services.

This should at least allow the other uses of NTLM authentication to be disabled.

To make the option, change:
type="boolean" to
in docs-xml/smbdotconf/security/ntlmauth.xml and then pattern on other enum types in the loadparm code.

The main task actually will be to write a test to confirm we allow/deny the right things in the right cases with the new option.
Comment 2 Mantas M. 2017-01-03 08:40:39 UTC
Created attachment 12789 [details]
patch halfway-to-v2

Something like this, I assume? (The combinations were manually tested, but I can't quite wrap my head around the Samba testsuite...)