Bug 169 - Plaintext/interactive logon auth inconpatible with NTLMv2 only
Summary: Plaintext/interactive logon auth inconpatible with NTLMv2 only
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Build environment (show other bugs)
Version: 3.0.0
Hardware: Other other
: P3 normal
Target Milestone: none
Assignee: Andrew Bartlett
QA Contact:
Depends on:
Reported: 2003-06-15 06:41 UTC by Andrew Bartlett
Modified: 2005-08-24 10:17 UTC (History)
0 users

See Also:

Fix this for interactive logons (17.47 KB, patch)
2004-03-30 17:26 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2003-06-15 06:41:08 UTC
If Samba is configured to only accept NTLMv2 logins, the interactive login (from
the NT Ctrl+Alt+Del) will be rejected.

Likewise, pam_winbind logins to a PDC with just a configuration will be rejected.

This is because we translate this into an LM challenge-response before dealing
with these on the network.

Proposed Solution:
 - always use the *interactive* logon type (secured with schannel if required) 
   when authenticating a suitable login against another DC.
 - compare the plaintext or OWF values of the password directly with the hash
   in the database - don't make a challenge-response of it for 'sam' auth.
 - if we must make a challenge-response, use the client options to decide what 
   type to use.
Comment 1 Andrew Bartlett 2004-03-30 17:26:36 UTC
Created attachment 460 [details]
Fix this for interactive logons

This patch fixes the issue when we are a PDC, but does not fix the issue when
we are passing on logon info to another DC.
Comment 2 Andrew Bartlett 2004-04-03 07:42:11 UTC
The server-side interactive logon part of this bug has been fixed.
Comment 3 Tim Potter 2004-07-22 23:46:46 UTC
This bug is probably fixed by now.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:17:15 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.