The branch, v3-6-test has been updated
via 6287391 BUG 9817: Fix 'map untrusted to domain' with NTLMv2.
from dd07b3c bug 9830: fix panic in nt_printer_publish_ads
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit 62873916076d748f7c91868a6cd28d35e64d8dca
Author: Andreas Schneider <a...@samba.org>
Date: Wed Apr 24 15:27:21 2013 +0200
BUG 9817: Fix 'map untrusted to domain' with NTLMv2.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Wed Apr 24 17:14:48 CEST 2013 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
source3/auth/auth_winbind.c | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index 2143353..57a8866 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -62,9 +62,15 @@ static NTSTATUS check_winbind_security(const struct
auth_context *auth_context,
}
/* Send off request */
-
params.account_name = user_info->client.account_name;
- params.domain_name = user_info->mapped.domain_name;
+ /*
+ * We need to send the domain name from the client to the DC. With
+ * NTLMv2 the domain name is part of the hashed second challenge,
+ * if we change the domain name, the DC will fail to verify the
+ * challenge cause we changed the domain name, this is like a
+ * man in the middle attack.
+ */
+ params.domain_name = user_info->client.domain_name;
params.workstation_name = user_info->workstation_name;
params.flags = 0;
--
Samba Shared Repository
