My old pal Rudi Chiarito1 ran across an interesting authentication quirk.

As noted in the text, when LM authentication is disabled in favor of NTLM authentication (e.g., by setting LMCompatibilityLevel to 2 in Windows) the client will place a copy of the NTLM Response into both the CaseInsensitivePassword field and the CaseSensitivePassword field.

That's two copies of the NTLM Response, one in each field.

The thing Rudi noted was that Samba (at least up through version 3.0.9) doesn't even look at the second password field when in SECURITY = SERVER (a.k.a. pass-through) mode. It simply passes the content of the CaseInsensitivePassword field (the first field) through to the password server (typically, but not necessarily, a Domain Controller).

This is perfectly reasonable behavior, when you consider that pass-through authentication was (and is) a bit of a kludge. Also recall that LMv2 was created because the NTLMv2 mechanism produced a response that was larger than 24 bytes, and the LMv2 response is contained in the CaseInsensitivePassword field (the first field). So, quite probably:

  • Somewhere, somehow, there are versions of Windows that can only be coaxed into passing a maximum of 24-bytes through to the password server, and...
  • Somewhere, somehow, there are versions of Windows that will only pass through the first field (the CaseInsensitivePassword field).

If that's true, then it's not surprising that Samba does the same.

Anyway, this became an issue because the Linux CIFS VFS client was leaving the CaseInsensitivePassword field (a.k.a. the LM Response field--the first field) blank when LM authentication was disabled. It was including only one copy of the NTLM response, in the second field (the CaseSensitivePassword field). Samba, of course, was dutifully passing the empty string to the password server, and authentication was failing.

Two fixes have been applied:

  • Samba now checks to see if the first field is blank. If it is, then Samba uses the contents of the second field.
  • If the LM Response is disabled, and NTLM is enabled, then the CIFS VFS includes the NTLM Response in both fields.

I have not had the opportunity to test Windows systems in pass-through security mode, but I suspect that at least some Windows systems behave as described above. That is, they'll happily pass whatever is in the first field through to the password server.

Thanks, Rudi!

1Rudi and I worked together for a while at Amiga, Inc., along with Olaf Barthel whose name appears once or twice in the book. Good folk.

Send annotations that you are willing and permitted to freely share to
Please let me know if I may give you credit by using your name when posting the note.
   $Id: note.,v 1.3 2005/03/04 16:53:55 crh Exp $