[samba] Fw: NTLMSSP squid samba 3.0

[Grigory Batalov]

(Мне тоже было бы интересно услышать ответ)


Begin forwarded message:

Date: Mon, 20 Oct 2003 21:49:59 -0300
From: Carlos Alberto Barcenilla <barce на frlp.utn.edu.ar>
To: grisxa на mail.ru
Cc: agu на frlp.utn.edu.ar
Subject: NTLMSSP squid samba 3.0


<mailto:sisyphus%40altlinux.ru?Subject=%5Bsisyphus%5D%20failed%20to%20parse%20NTLMSSP%20%28was%3A%20I%3A%20new%20samba3%20build%29&In-Reply-To=20030428170652.1a248491.grisxa%40mail.ru>Hi..

    I found a post from yo at 
http://www.altlinux.ru/pipermail/sisyphus/2003-April/022442.html
   
    After translating Russian-to-english with the help of babelfish and 
then English to Spanish with the help of my mind :) :) I found I'm 
experiencing the same problem.
   
    I was comparing NTLMSSP messages from Windows XP and Windows 98 and 
they are quite different. I guess that's why ntlm_auth can't parse them. 
I'm not an expert in SMB so that's all I can do. (I used this to 
compare: http://www.innovation.ch/java/ntlm.html#resources) This seems 
to be ok for windows XP / 2000 / NT, but not for Windows 98.

    ©Have you solved the problem? I'm almost sure this is a bug in 
libsmb or ntlm_auth.

Thanks in advance!

Windows 98:
  [000] 4E 54 4C 4D 53 53 50 00  03 00 00 00 18 00 18 00  NTLMSSP. ........
  [010] 51 00 00 00 00 00 00 00  69 00 00 00 08 00 08 00  Q....... i.......
  [020] 34 00 00 00 09 00 09 00  3C 00 00 00 0C 00 0C 00  4....... <.......
  [030] 45 00 00 00 53 49 53 54  45 4D 41 53 61 69 67 6C  E...SIST EMASaigl
  [040] 65 73 69 61 73 41 52 51  2E 49 47 4C 45 53 49 41  esiasARQ .IGLESIA
  [050] 53 57 DA 59 07 B0 F4 68  5B CA 48 FD 0A D7 5B 0F  SWзY.╟Тh [йHЩ.в[.
  [060] 83 3B B8 D7 D6 FC F2 57  FB                       .;╦вжЭРW Ш

Windows XP:
  [000] 4E 54 4C 4D 53 53 50 00  03 00 00 00 18 00 18 00  NTLMSSP. ........
  [010] 54 00 00 00 18 00 18 00  6C 00 00 00 08 00 08 00  T....... l.......
  [020] 40 00 00 00 05 00 05 00  48 00 00 00 07 00 07 00  @....... H.......
  [030] 4D 00 00 00 00 00 00 00  84 00 00 00 06 02 00 20  M....... .......
  [040] 53 49 53 54 45 4D 41 53  42 41 52 43 45 41 4D 45  SISTEMAS BARCEAME
  [050] 52 49 43 41 1D 73 3A C4  CB D4 0B 8D 6A A0 02 AC  RICA.s:д кт..j .╛
  [060] 01 88 CB C9 00 0E 1D 49  B1 8A 6B 32 11 6B 58 7F  ..ки...I ╠.k2.kX.
  [070] 10 D9 A8 69 28 08 BA E0  45 5A C1 C7 1B 46 0E 48  .ы╗i(.╨Ю EZаг.F.H
  [080] C2 8C AA 51                                       б.╙Q


My manual decode of W98:

protocol: [000] NTLMSSP\0
type: [008] 0x03 // type-3 message
zero: [00A] 0x000000
lm_resp_len: [00C] 0x0018 (little endian) decimal: 24
lm_resp_len: [00E] 0x0018 (little endian) decimal: 24
lm_resp_off: [010] 0x0051 (little endian)
zero: [012] 0x0000
nt_resp_len: [014] 0x0000  (ohh!! this should be nonzero, it seems W98 
does not use it)
nt_resp_len: [016] 0x0000  (ohh!! this should be nonzero, it seems W98 
does not use it)
nt_resp_off: [018] 0x0069 (little endian)
zero: [01A] 0x0000
dom_len: [01C] 0x0008 (little endian) {SISTEMAS}
dom_len: [01E] 0x0008 (little endian)
dom_off: [020] 0x0034 (little endian)
zero: [022] 0x0000
user_len: [024] 0x0009 (little endian) {aiglesias}
user_len: [026] 0x0009 (little endian)
user_off: [028] 0x003C (little endian)
zero: [02A] 0x0000
host_len: [02C] 0x000C (little endian) decimal: 12 {ARQ.IGLESIAS}
host_len: [02E] 0x000C (little endian) decimal: 12
host_off: [030] 0x0045 (little endian)
zero: [032] 0x5453494300 (little endian) 6 bytes ... this should be 
6-byte zeroes!!!!
msg_len: [038] 0x4D45 ......... ohh this went to the hell!! Continue 
parsing it's useless!




-- 
Григорий Баталов,
группа техподдержки
ОАО "Ковдорский ГОК"