> I posted the bug on this a few days back (#262). I've been rooting
> through the NTLM code today and it seems to be pretty much a
> question of
> the DC getting bored with life. I added in some retrying in
> the code and
> it has eliminated the problem.
>
> I was going to rewrite the interface to libntlmssp.c so it has decent
> error reporting and retries from within ntlm_auth.c if it gets NetBIOS
> errors.
>
> Is that good with you Robert - you seem to be the maintainer of that
> bit?
There currently is an issue with NTLMSSP with fail_open:
If an user enters a blank password, under stome (still uncler, but probably
they have something to do with NT-truster-with-2k-trusted-domain)
circumstances,
the NTLMSSP will get a "Read Error", while the client's domain controller
will
register a logon failure. Unfortunately "read error" is fail-open for
NTLMSSP.
Results are very fast account lockouts if the users catch the hint.
I've currently worked around this by adding an explicit blank-password
check,
but I've not yet committed that code yet - worse, I've seen unverifiued
reports that the problem is still occuring, there must be some critical
path.
Short-term solution is not using fail-open (not use the -l helper switch)
but expect lots of failed legitimate logins then.
Long-term solution is using a winbindd-based authenticator, but winbindd
is currently in a bit of a flux and I am critically short of time.
-- /kinkieReceived on Mon Nov 19 2001 - 08:35:32 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:38 MST