Bug 359 - NTLMv2 behaviour does not match windows
Summary: NTLMv2 behaviour does not match windows
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: smbclient (show other bugs)
Version: 3.0.0preX
Hardware: Other other
: P1 critical
Target Milestone: 3.0.0rc3
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
URL: http://davenport.sf.net/ntlm.html
Depends on:
Blocks: 367
  Show dependency treegraph
Reported: 2003-08-27 15:37 UTC by Andrew Bartlett
Modified: 2005-08-24 10:15 UTC (History)
0 users

See Also:

Proposed fix, implements NTLM2, and key exchange. (7.89 KB, patch)
2003-09-06 00:35 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2003-08-27 15:37:20 UTC
Our current NTLMv2 behaviour is badly broken - the 'autodetection' does no such
thing, and in the default code paths, we fail to connect to a number of
different servers:

In particular, we cannot connect to a system that is not running Win2k/Samba 3.0
that has a DC requiring NTLMv2.  We also cannot contact a system running
Win2k/Samba 3.0 that has a DC that cannot understand NTLMv2.

There is *NO* correlation bettween extended security status and NTLMv2 support.
 Win2k does not use this in determinating if it should use NTLMv2 - that is an
explict configuration option.

What may be negotiated are things like NTLMSSP, which has a number of
sub-protocol options, described in http://davenport.sf.net/ntlm.html that should
satisfy any 'require NTLMv2 session security' requirement that a DC may have,
without the need to explicty configure NTLMv2.   (It uses what I can NTLM2,
after the flag that negotiates it, and is compatible with older PDCs).
Comment 1 Andrew Bartlett 2003-08-29 18:20:19 UTC
Furthermore, the current 'client ntlmv2 = yes' disables share-level logins, 
becouse the parameter's documented meaning is to disable LANMAN and Plaintext
authentication (which is what share-level security uses).
Comment 2 Gerald (Jerry) Carter (dead mail address) 2003-09-02 07:24:56 UTC
Also refer to the thread starting here:

Comment 3 Andrew Bartlett 2003-09-06 00:35:32 UTC
Created attachment 126 [details]
Proposed fix, implements NTLM2, and key exchange.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2003-09-06 12:17:40 UTC
patch applied.  

  * Domain joins from nt4sp6a/2ksp4/xpsp1
    all work.  
  * Browsing to trusted servers and browsing 
    from trusted servers works ok.  
  * domain joins to mixed mode domain ok.
  * winbind enumerates users/groups ok.

I think we're ready for RC3.  Thanks Andrew.
Comment 5 Gerald (Jerry) Carter (dead mail address) 2005-02-07 09:05:50 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 6 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:15:53 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.