The Samba-Bugzilla – Bug 442
NTLMv2 support fixes are broken
Last modified: 2005-08-24 10:24:28 UTC
NTLMv2 patch which went into SAMBA_3_0 on September, 6th, influences mixed mode
domain join resulting in inability to join Samba 3.0 to it.
during 'net rpc join' we try both variants of join -- the old one and the new
one -- and both fail: one with NT_STATUS_NO_SAM_ACCOUNT and another is with
NT_STATUS_WRONG_PASSWORD in an attempt to change password for newly created
When I remove this patch and set
client ntlmv2 auth = False
join happens successfully.
Native mode and NT4 domain joins work with and without this patch. It is only
mixed mode W2K join that fails.
This looks like the result of incorect 'sealing' of the proposed password in the
join process. I suspect we are using the 'incorrect' session key, and I'm
investigating what the correct one would be.
This looks like an NTLMSSP issue, rather than an NTLMv2 issue. I have a patch
that seems to resolve the situation, and as a bonus appears to match the win2k
traces I have.
Created attachment 139 [details]
Always negotiate to 'sign' in NTLMSSP for SMB connections.
This patch matches the win2k negotiation flags by always negotiating to sign.
This seems to 'open up' the session key for use.
Ok, I've done testing on this and it definately
fixes the problem of joining mixed-mode domains.
The problem is what effect it will have elsewhere....
Hmmmm. Andrew, can you comment ?
Applied a similar version of this patch.
Should be fixed. Needs testing !
*** Bug 367 has been marked as a duplicate of this bug. ***
*** Bug 467 has been marked as a duplicate of this bug. ***
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.