On Sat, 2003-11-22 at 22:46, Andrew Bartlett wrote:
> On Sat, 2003-11-22 at 22:30, Henrik Nordstrom wrote:
> > On Sat, 22 Nov 2003, Andrew Bartlett wrote:
> >
> > > Yep, there is a bug in Samba's ntlm_auth. I'm waiting on a valgrind run
> > > or at least a backtrace.
> >
> > There is a Squid user who apparently can get the Samba ntlm_auth helper to
> > segfault reliably. But he probably needs a little guidance on how to get a
> > backtrace from the helper.
> >
> > http://www.squid-cache.org/mail-archive/squid-users/200311/0893.html
>
> I've caught up with him on samba-technical.
>
> > > I'm just about to add NLTM2 to our server-side NTLMSSP and maybe my
> > > added parinoia fixed the bugs (but that's just hope :-)
> >
> > So now it becomes even more pressing need to get Squid to send the
> > NEGOTIATE packet to the helper properly, and to figure out how to fully
> > stop challenge reuses..
>
> Actually, NTLM2 should work without it (it is different to NTLMv2 - yet
> another variation), but challenge reuses are evil anyway :-)
However, what is evil is the fact that we don't get the negotiate
packet, so we can't enable these things.
Once we sort this bit out, we are going to work a *lot* better at some
of the 'high security policy' sites.
Andrew Bartlett
-- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:20:47 MST