Bug 169 - Plaintext/interactive logon auth inconpatible with NTLMv2 only
Summary: Plaintext/interactive logon auth inconpatible with NTLMv2 only
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Build environment (show other bugs)
Version: 3.0.0
Hardware: Other other
: P3 normal
Target Milestone: none
Assignee: Andrew Bartlett
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-06-15 06:41 UTC by Andrew Bartlett
Modified: 2005-08-24 10:17 UTC (History)
0 users

See Also:

Attachments
Fix this for interactive logons (17.47 KB, patch)
2004-03-30 17:26 UTC, Andrew Bartlett 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2003-06-15 06:41:08 UTC 
If Samba is configured to only accept NTLMv2 logins, the interactive login (from
the NT Ctrl+Alt+Del) will be rejected.

Likewise, pam_winbind logins to a PDC with just a configuration will be rejected.

This is because we translate this into an LM challenge-response before dealing
with these on the network.

Proposed Solution:
 - always use the *interactive* logon type (secured with schannel if required) 
   when authenticating a suitable login against another DC.
 - compare the plaintext or OWF values of the password directly with the hash
   in the database - don't make a challenge-response of it for 'sam' auth.
 - if we must make a challenge-response, use the client options to decide what 
   type to use.
Comment 1 Andrew Bartlett 2004-03-30 17:26:36 UTC 
Created attachment 460 [details]
Fix this for interactive logons

This patch fixes the issue when we are a PDC, but does not fix the issue when
we are passing on logon info to another DC.
Comment 2 Andrew Bartlett 2004-04-03 07:42:11 UTC 
The server-side interactive logon part of this bug has been fixed.
Comment 3 Tim Potter 2004-07-22 23:46:46 UTC 
This bug is probably fixed by now.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:17:15 UTC 
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.