Bug 9117 - smbclient can't connect to a Windows 7 server using NTLMv2 (crypto code changes domain case).
smbclient can't connect to a Windows 7 server using NTLMv2 (crypto code chang...
Status: RESOLVED FIXED
Product: Samba 3.6
Classification: Unclassified
Component: Client Tools
unspecified
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-24 22:45 UTC by Jeremy Allison
Modified: 2012-10-15 09:34 UTC (History)
1 user (show)

See Also:


Attachments
git-am fix for 3.6.x. (11.23 KB, patch)
2012-08-24 22:51 UTC, Jeremy Allison
abartlet: review+
jra: review? (ddiss)
Details
git-am fix for 3.5.next (1.61 KB, patch)
2012-08-24 22:55 UTC, Jeremy Allison
abartlet: review+
ddiss: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2012-08-24 22:45:06 UTC
Reported and analysed by Blohm, Guntram (I/FP-37, extern)" <extern.guntram.blohm@audi.de>.

Found the bug, though it took me a while.

In samba version 3.4, source3/libsmb/smbencrypt.c says

        if (!ntv2_owf_gen(nt_hash, user, domain, False, ntlm_v2_hash)) {

the False tells ntv2_owf_gen not to uppercase the domain name.

Samba version 3.5 moves the file to libcli/auth/smbencrypt.c and changes that line to

        if (!ntv2_owf_gen(nt_hash, user, domain, true, ntlm_v2_hash)) {

and version 3.6 doesn't change anything there.


When the domain/workgroup name is fetched from the command line (in source3/libsmb/cliconnect.c), 3.4 has:

        if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/')) ||
            (p=strchr_m(user2,*lp_winbind_separator()))) {
                *p = 0;
                user = p+1;
                workgroup = user2;
        }

which does not change in 3.5, but 3.6 uses

        if ((p=strchr_m(user2,'\\')) || (p=strchr_m(user2,'/')) ||
            (p=strchr_m(user2,*lp_winbind_separator()))) {
                *p = 0;
                user = p+1;
                strupper_m(user2);
                workgroup = user2;
        }

So basically the problem is: version 3.4 (and below) passes a lowercase version (to be exact: same case that was given on
+the command line) of the workgroup name to the encryption subsystem, and also uses this lowercase version in the plain te
+xt part of the NTLMSSP message. 3.5 uses an uppercase workgroup name for encryption, but still passes the lowercase versi
+on of the workgroup in the plain text part, causing the NTLMv2 authentication to fail (at least against Win7 as server).
+3.6 always uppercases the workgroup name, so NTLMv2 authentication works again.

I'd propose to copy the

                strupper_m(user2);

line from 3.6 to 3.5, or are there any reasons not to do this? In the meanwhile, the workaround could be using all upperca
+se domain names on the command line (which is what I'm doing right now).
Comment 1 Jeremy Allison 2012-08-24 22:51:06 UTC
Created attachment 7820 [details]
git-am fix for 3.6.x.

This is the code that went into master (applies cleanly to 3.6.x).
Jeremy.
Comment 2 Jeremy Allison 2012-08-24 22:55:13 UTC
Created attachment 7821 [details]
git-am fix for 3.5.next

Simple fix than the generic one for master/3.6.next, but still addresses the bug.

Jeremy.
Comment 3 David Disseldorp 2012-08-30 10:37:53 UTC
Comment on attachment 7820 [details]
git-am fix for 3.6.x.

I'm concerned that other SMBNTLMv2encrypt_hash() callers may be unintentionally affected by the change in ntv2_owf_gen() behaviour, otherwise these patches look good to me.
Comment 4 David Disseldorp 2012-08-30 10:54:22 UTC
(In reply to comment #3)
> Comment on attachment 7820 [details]
> git-am fix for 3.6.x.
> 
> I'm concerned that other SMBNTLMv2encrypt_hash() callers may be unintentionally
> affected by the change in ntv2_owf_gen() behaviour, otherwise these patches
> look good to me.

It looks like winbind capitalises all domains passed through to SMBNTLMv2encrypt_hash(), the ntlm_auth binary does not appear to do so.
Comment 5 Jeremy Allison 2012-08-30 15:49:55 UTC
So do we have a case where a lower-case domain might be needed for ntlm-auth ? If not I can add an additional patch that capitalizes the domain name within there for 3.6.next (and master).

You're closer to the coal-face as it were, so do you have customers who might need this (does Windows even allow it ?) ?

Jeremy.
Comment 6 Jeremy Allison 2012-10-15 04:06:35 UTC
Re-assigning to Karolin for inclusion in 3.5.next and 3.6.next.
Jeremy.
Comment 7 Karolin Seeger 2012-10-15 09:34:17 UTC
Pushed to v3-6-test and v3-5-test.
Closing out bug report.

Thanks!