Reported and analysed by Blohm, Guntram (I/FP-37, extern)" <extern.guntram.blohm@audi.de>. Found the bug, though it took me a while. In samba version 3.4, source3/libsmb/smbencrypt.c says if (!ntv2_owf_gen(nt_hash, user, domain, False, ntlm_v2_hash)) { the False tells ntv2_owf_gen not to uppercase the domain name. Samba version 3.5 moves the file to libcli/auth/smbencrypt.c and changes that line to if (!ntv2_owf_gen(nt_hash, user, domain, true, ntlm_v2_hash)) { and version 3.6 doesn't change anything there. When the domain/workgroup name is fetched from the command line (in source3/libsmb/cliconnect.c), 3.4 has: if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/')) || (p=strchr_m(user2,*lp_winbind_separator()))) { *p = 0; user = p+1; workgroup = user2; } which does not change in 3.5, but 3.6 uses if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/')) || (p=strchr_m(user2,*lp_winbind_separator()))) { *p = 0; user = p+1; strupper_m(user2); workgroup = user2; } So basically the problem is: version 3.4 (and below) passes a lowercase version (to be exact: same case that was given on +the command line) of the workgroup name to the encryption subsystem, and also uses this lowercase version in the plain te +xt part of the NTLMSSP message. 3.5 uses an uppercase workgroup name for encryption, but still passes the lowercase versi +on of the workgroup in the plain text part, causing the NTLMv2 authentication to fail (at least against Win7 as server). +3.6 always uppercases the workgroup name, so NTLMv2 authentication works again. I'd propose to copy the strupper_m(user2); line from 3.6 to 3.5, or are there any reasons not to do this? In the meanwhile, the workaround could be using all upperca +se domain names on the command line (which is what I'm doing right now).
Created attachment 7820 [details] git-am fix for 3.6.x. This is the code that went into master (applies cleanly to 3.6.x). Jeremy.
Created attachment 7821 [details] git-am fix for 3.5.next Simple fix than the generic one for master/3.6.next, but still addresses the bug. Jeremy.
Comment on attachment 7820 [details] git-am fix for 3.6.x. I'm concerned that other SMBNTLMv2encrypt_hash() callers may be unintentionally affected by the change in ntv2_owf_gen() behaviour, otherwise these patches look good to me.
(In reply to comment #3) > Comment on attachment 7820 [details] > git-am fix for 3.6.x. > > I'm concerned that other SMBNTLMv2encrypt_hash() callers may be unintentionally > affected by the change in ntv2_owf_gen() behaviour, otherwise these patches > look good to me. It looks like winbind capitalises all domains passed through to SMBNTLMv2encrypt_hash(), the ntlm_auth binary does not appear to do so.
So do we have a case where a lower-case domain might be needed for ntlm-auth ? If not I can add an additional patch that capitalizes the domain name within there for 3.6.next (and master). You're closer to the coal-face as it were, so do you have customers who might need this (does Windows even allow it ?) ? Jeremy.
Re-assigning to Karolin for inclusion in 3.5.next and 3.6.next. Jeremy.
Pushed to v3-6-test and v3-5-test. Closing out bug report. Thanks!