Bug 6680 - Authentication failure from Windows 7 when domain joined.
Authentication failure from Windows 7 when domain joined.
Status: RESOLVED FIXED
Product: Samba 3.4
Classification: Unclassified
Component: Winbind
3.4.0
All Windows 7
: P3 critical
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-08-31 19:26 UTC by Dan Sledz
Modified: 2009-09-04 13:29 UTC (History)
0 users

See Also:


Attachments
pcap showing the behavior. (9.02 KB, application/octet-stream)
2009-08-31 19:27 UTC, Dan Sledz
no flags Details
support large ntlm2 blobs in wbcAuthenticateUserEx(). (967 bytes, patch)
2009-09-01 05:03 UTC, Guenther Deschner
no flags Details
revised version of that patch (2.29 KB, patch)
2009-09-01 05:32 UTC, Guenther Deschner
kai: review+
Details
revised version of that patch, now tested and working. (2.11 KB, patch)
2009-09-01 09:13 UTC, Guenther Deschner
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Sledz 2009-08-31 19:26:02 UTC
When authenticating to a domain joined samba server with NTLMv2 from a Windows 7 client, a valid password is being denied.  The same request succeeded with NTLMv1.  The key to this repro is accessing the server via a hostname so Windows 7 adds a SPN to the target information section of the NTLMv2 Response.

After looking at the trace and the code, it seems as though the nt_response field is being truncated to 256 bytes when being packed into the winbindd_request in check_winbind_security().

I'm unsure of the best way to fix this since it's inside the winbindd IPC layer and the interface is not versioned.
Comment 1 Dan Sledz 2009-08-31 19:27:56 UTC
Created attachment 4617 [details]
pcap showing the behavior.

I'm attaching a pcap showing the nt_response field > 256 bytes.
Comment 2 Guenther Deschner 2009-09-01 04:51:29 UTC
Ok, this is a bug as nt_response is treated as an fstring (static 256 byte char array) in the winbind_request structure.
Comment 3 Guenther Deschner 2009-09-01 05:03:56 UTC
Created attachment 4619 [details]
support large ntlm2 blobs in wbcAuthenticateUserEx().

Could you please try this patch ?
Comment 4 Guenther Deschner 2009-09-01 05:12:47 UTC
patch is not sufficient, hold on.
Comment 5 Guenther Deschner 2009-09-01 05:32:30 UTC
Created attachment 4620 [details]
revised version of that patch
Comment 6 Kai Blin 2009-09-01 08:01:13 UTC
Comment on attachment 4620 [details]
revised version of that patch

Looks good now.
Comment 7 Guenther Deschner 2009-09-01 09:13:25 UTC
Created attachment 4621 [details]
revised version of that patch, now tested and working.
Comment 8 Guenther Deschner 2009-09-01 19:33:31 UTC
Dan, could you please test that final fix (that also went upstream to master git branch already) ? It fixes the issue here.
Comment 9 Guenther Deschner 2009-09-02 03:29:29 UTC
Karolin, reassigning to you, this absolutely needs to be in 3.4/3.3 in order to
support samba member-servers running winbind and clients using ntlmv2 (default
in win7).
Comment 10 Karolin Seeger 2009-09-02 03:44:04 UTC
Pushed.
Closing out bug report.

Dan, please reopen if it's still an issue.

Thanks!
Comment 11 Dan Sledz 2009-09-04 12:45:50 UTC
I pulled down master and it now works.  Thanks!
Comment 12 Guenther Deschner 2009-09-04 13:29:07 UTC
Cool, thanks for verifiying!