If Samba is configured to only accept NTLMv2 logins, the interactive login (from
the NT Ctrl+Alt+Del) will be rejected.
Likewise, pam_winbind logins to a PDC with just a configuration will be rejected.
This is because we translate this into an LM challenge-response before dealing
with these on the network.
- always use the *interactive* logon type (secured with schannel if required)
when authenticating a suitable login against another DC.
- compare the plaintext or OWF values of the password directly with the hash
in the database - don't make a challenge-response of it for 'sam' auth.
- if we must make a challenge-response, use the client options to decide what
type to use.
Created attachment 460 [details]
Fix this for interactive logons
This patch fixes the issue when we are a PDC, but does not fix the issue when
we are passing on logon info to another DC.
The server-side interactive logon part of this bug has been fixed.
This bug is probably fixed by now.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.