6680 – Authentication failure from Windows 7 when domain joined.

Bug 6680 - Authentication failure from Windows 7 when domain joined.

Summary: Authentication failure from Windows 7 when domain joined.

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.4
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	3.4.0
Hardware:	All Windows 7

Importance:	P3 critical
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-08-31 19:26 UTC by Dan Sledz
Modified:	2009-09-04 13:29 UTC (History)
CC List:	0 users

See Also:

Attachments
pcap showing the behavior. (9.02 KB, application/octet-stream) 2009-08-31 19:27 UTC, Dan Sledz	no flags	Details
support large ntlm2 blobs in wbcAuthenticateUserEx(). (967 bytes, patch) 2009-09-01 05:03 UTC, Guenther Deschner	no flags	Details
revised version of that patch (2.29 KB, patch) 2009-09-01 05:32 UTC, Guenther Deschner	kai: review+	Details
revised version of that patch, now tested and working. (2.11 KB, patch) 2009-09-01 09:13 UTC, Guenther Deschner	no flags	Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dan Sledz 2009-08-31 19:26:02 UTC

When authenticating to a domain joined samba server with NTLMv2 from a Windows 7 client, a valid password is being denied.  The same request succeeded with NTLMv1.  The key to this repro is accessing the server via a hostname so Windows 7 adds a SPN to the target information section of the NTLMv2 Response.

After looking at the trace and the code, it seems as though the nt_response field is being truncated to 256 bytes when being packed into the winbindd_request in check_winbind_security().

I'm unsure of the best way to fix this since it's inside the winbindd IPC layer and the interface is not versioned.

Comment 1 Dan Sledz 2009-08-31 19:27:56 UTC

Created attachment 4617 [details]
pcap showing the behavior.

I'm attaching a pcap showing the nt_response field > 256 bytes.

Comment 2 Guenther Deschner 2009-09-01 04:51:29 UTC

Ok, this is a bug as nt_response is treated as an fstring (static 256 byte char array) in the winbind_request structure.

Comment 3 Guenther Deschner 2009-09-01 05:03:56 UTC

Created attachment 4619 [details]
support large ntlm2 blobs in wbcAuthenticateUserEx().

Could you please try this patch ?

Comment 4 Guenther Deschner 2009-09-01 05:12:47 UTC

patch is not sufficient, hold on.

Comment 5 Guenther Deschner 2009-09-01 05:32:30 UTC

Created attachment 4620 [details]
revised version of that patch

Comment 6 Kai Blin 2009-09-01 08:01:13 UTC

Comment on attachment 4620 [details]
revised version of that patch

Looks good now.

Comment 7 Guenther Deschner 2009-09-01 09:13:25 UTC

Created attachment 4621 [details]
revised version of that patch, now tested and working.

Comment 8 Guenther Deschner 2009-09-01 19:33:31 UTC

Dan, could you please test that final fix (that also went upstream to master git branch already) ? It fixes the issue here.

Comment 9 Guenther Deschner 2009-09-02 03:29:29 UTC

Karolin, reassigning to you, this absolutely needs to be in 3.4/3.3 in order to
support samba member-servers running winbind and clients using ntlmv2 (default
in win7).

Comment 10 Karolin Seeger 2009-09-02 03:44:04 UTC

Pushed.
Closing out bug report.

Dan, please reopen if it's still an issue.

Thanks!

Comment 11 Dan Sledz 2009-09-04 12:45:50 UTC

I pulled down master and it now works.  Thanks!

Comment 12 Guenther Deschner 2009-09-04 13:29:07 UTC

Cool, thanks for verifiying!