Bug 442 - NTLMv2 support fixes are broken
Summary: NTLMv2 support fixes are broken
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.0preX
Hardware: Other other
: P1 critical
Target Milestone: none
Assignee: Andrew Bartlett
QA Contact:
: 367 467 (view as bug list)
Depends on:
Reported: 2003-09-12 02:53 UTC by Alexander Bokovoy
Modified: 2005-08-24 10:24 UTC (History)
2 users (show)

See Also:

Always negotiate to 'sign' in NTLMSSP for SMB connections. (792 bytes, patch)
2003-09-12 19:24 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bokovoy 2003-09-12 02:53:47 UTC
NTLMv2 patch which went into SAMBA_3_0 on September, 6th, influences mixed mode
domain join resulting in inability to join Samba 3.0 to it.

during 'net rpc join' we try both variants of join -- the old one and the new
one -- and both fail: one with NT_STATUS_NO_SAM_ACCOUNT and another is with
NT_STATUS_WRONG_PASSWORD in an attempt to change password for newly created
machine account.

When I remove this patch and set 
 client ntlmv2 auth = False
join happens successfully. 

Native mode and NT4 domain joins work with and without this patch. It is only
mixed mode W2K join that fails.
Comment 1 Andrew Bartlett 2003-09-12 05:12:12 UTC
This looks like the result of incorect 'sealing' of the proposed password in the
join process.  I suspect we are using the 'incorrect' session key, and I'm
investigating what the correct one would be.  
Comment 2 Andrew Bartlett 2003-09-12 19:19:32 UTC
This looks like an NTLMSSP issue, rather than an NTLMv2 issue.  I have a patch
that seems to resolve the situation, and as a bonus appears to match the win2k
traces I have.
Comment 3 Andrew Bartlett 2003-09-12 19:24:00 UTC
Created attachment 139 [details]
Always negotiate to 'sign' in NTLMSSP for SMB connections.

This patch matches the win2k negotiation flags by always negotiating to sign. 
This seems to 'open up' the session key for use.
Comment 4 Jeremy Allison 2003-09-15 17:23:39 UTC
Ok, I've done testing on this and it definately
fixes the problem of joining mixed-mode domains.
The problem is what effect it will have elsewhere....

Hmmmm. Andrew, can you comment ?

Comment 5 Jeremy Allison 2003-09-15 18:29:54 UTC
Applied a similar version of this patch.
Should be fixed. Needs testing !

Comment 6 Gerald (Jerry) Carter (dead mail address) 2003-09-20 10:02:16 UTC
*** Bug 367 has been marked as a duplicate of this bug. ***
Comment 7 Gerald (Jerry) Carter (dead mail address) 2003-09-20 10:02:37 UTC
*** Bug 467 has been marked as a duplicate of this bug. ***
Comment 8 Gerald (Jerry) Carter (dead mail address) 2005-02-07 09:05:27 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 9 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:24:28 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.