Since I've put live my winbindd setup, I've discovered two embarassing
truths about that code:
1) It doesn't like NTLMv2 at all, refusing access to anybody who dares
provide NTLMv2 credentials
2) (much more embarassing) due to an one-liner it ends up ignoring NT
credentals, always falling back to LM even when the NThash is provided.
Here's the patch. Please apply to the -PRE tree before -STABLE release.
--- wb_ntlm_auth.c.orig Tue Sep 17 09:49:40 2002
+++ wb_ntlm_auth.c Tue Sep 17 17:08:22 2002
@@ -219,21 +219,24 @@
authfail(domain, user, "Broken LM hash response");
return;
}
-
+ have_nthash=0;
nthash = ntlm_fetch_string((char *) auth, auth_length, &auth->ntresponse);
switch (nthash.l) {
case 0:
debug("no nthash\n");
request.data.auth_crap.nt_resp_len = 0;
+ have_nthash=0;
break;
case 24:
memcpy(request.data.auth_crap.nt_resp, nthash.str, 24);
request.data.auth_crap.nt_resp_len = 24;
+ have_nthash=1;
break;
default:
- debug("nthash len = %d\n", nthash.l);
- authfail(domain, user, "Broken NT hash response");
- return;
+ debug("nthash len=%d. Ignoring it.\n",nthash.l);
+ request.data.auth_crap.nt_resp_len = 0;
+ have_nthash=0;
+ break;
}
debug("Checking user '%s\\%s' lmhash len =%d, have_nthash=%d, "
-- kinkie (kinkie-ml [at] libero [dot] it) Random fortune, unrelated to the message: He is the best of men who dislikes power. -- MohammedReceived on Tue Sep 17 2002 - 09:17:41 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:16:33 MST