Version: tundmatu (using KDE 3.3.89 (CVS >= 20041104), compiled sources) Compiler: gcc version 3.3.5 (Debian 1:3.3.5-2) OS: Linux (i686) release 2.6.8.1-ipv6conntrack After introducing KNTLM NTLM authentication is broken - I can't login into corporate intranet running in IIS any more. My wild guess is that http kio slave didn't work with vanilla libntlm either, it required patch from http://lists.kde.org/?l=kfm-devel&m=109595628706197&w=2. Maybe similar fix is needed for kntlm?
I have KDE 3.3.91 and the NTLM authentication is broken for me too. I have Mandrake 10.1 KDE3.2 RPMs installed, and I can log into the server. Switching to a Konstruct-built KDE3.4, I did successfully download some data from the Exchange server using the Exchange plugin for KMail twice. Then it simply stopped working (I didn't change anything, honest! :). I've tcpdump'ed the output and found that kio_http is performing the gross required steps for NTLM authentication - that is responding to 401 errors by retrying with each of three different password encodings. I can access the SMB server share on the same computer using the smb:// protocol in the same Konqueror window. This bug might be linked to 92056.
Can you post the tcpdump output?
Created attachment 9164 [details] tcpdump of a NTLM authentication failure This was obtained using the command: tcpdump -A -s1024 -i eth0 'host 10.100.10.23 and port 80' NOTE: I used an invalid password for this tcpdump, but the file is not materially different to that when the correct password is given
Thanks, I'll investigate the problem
Sorry, but can you repeat the dump with the -w filename option? Ethereal cannot read back the format you posted.
Created attachment 9172 [details] tcpdump of a NTLM authentication failure (binary format) Command was: tcpdump -s1024 -w /home/aalcock/packets2.log -i eth0 'host 10.100.10.23 and port 80'
The same failure happens if you try without the domain name (e.g. username is not DOMAIN\user, but only user)?
Yes, it fails. My version of KDE3.2 (Mandrake 10.1 Official RPMs) also rejects a domain-less login attempt. I'm fairly sure that earlier versions of KDE behaved in this way too. However, Firefox and Mozilla both succeed without the domain.
Created attachment 9384 [details] Patch to allow specifiing a domain name. Is the posted patch solves the problem?
The patch partially solves the problem. I can now connect to the web server, authenticate and the HTML pages are all downloaded and displayed correctly. Therefore there is great value in the patch. However, the HTTP Authentication dialog box pops up for each and every image on the page - no matter what I enter for the username and password, the NTLM authentication fails and the image is not downloaded. On investigation, the HTML is at the following URL: https://xxxx/exchange/xxxx But the images are at https://xxxx/exchweb/img/xxxx.gif I believe that no authentication required for the images - I can download them with a simple curl <url> command with no authentication. So, whilst the NTLM authentication problem with the NT Domain is resolved, there is another problem that makes KIO seem to want to perform authentication when it's not required, and fails when the authentication (naturally) fails.
SVN commit 425781 by sgotti: Fix wrong auth string sent to server for NTLMv2, patch from Szombathelyi György. CCBUG: 93454 M +4 -4 kntlm.cpp --- trunk/KDE/kdelibs/kio/misc/kntlm/kntlm.cpp #425780:425781 @@ -1,5 +1,5 @@ /* This file is part of the KDE libraries - Copyright (c) 2004 Szombathelyi Gy
Confirmed to be fixed.
I am still seeing failures and am unable to log in with kntlm yet Firefox works fine. This is in KDE 3.4.2. I have obtained some packet traces showing the differences between Firefox, which does work, and Konqueror, which fails.
Created attachment 12333 [details] Capture from Ethereal of successful Firefox session login to Exchange server Successful login via Firefox to Exchange (2003, I think)
Created attachment 12334 [details] Failed Exchange login via Konqueror This data was captured with Ethereal and saved in the default format.
Some additional information. I modified the kntlm code to force it to use ntlm v1 instead of v2 and now it authenticates. There's something wrong with the v2 code. Note that Firefox only uses v1. Note that this is also running on Solaris with the patches I submitted for bug 110980. I'll attach my latest patch here which seems to work.
What I see is that the username is aaronw\aaron_williams in the ntlm2 auth, and aaronw in the ntlm1 auth. Why?
I have tried with both combinations and neither works. I think it's due to the fact that for IMAP it requires the longer version. With the patch I just submitted, I am able to successfully log in with Konqueror, something I have never been able to do before. The patch also fixes several endian problems with big endian systems.
Created attachment 12363 [details] Patch forcing kntlm to use NTLMv1 instead of v2 and also fixes endian problems (bug 110980) This patch allows kntlm to talk to our Microsoft Exchange 2003 SP1 server correctly and also fixes some endian problems with big endian clients.
I might add that our exchange server is running Exchange 2003 with SP 1 installed. I consider the forcing to use NTLMv1 a hack as ideally v2 should work, but I have little experience with NTLM. I am only doing what Firefox does, which does work.
Hi ! This bug should be re-opened. I confirm that kde 3.4.2 is still broken. Now trying to access a Davenport webdav server is impossible with ntlm activated.
SVN commit 457394 by gyurco: Disable (NT)LMv2, until the issues are solved. CCBUG: 93454 M +15 -14 kntlm.cpp --- branches/KDE/3.4/kdelibs/kio/misc/kntlm/kntlm.cpp #457393:457394 @@ -144,20 +144,21 @@ ((Auth*) rbuf.data())->flags = ch->flags; QByteArray targetInfo = getBuf( challenge, ch->targetInfo ); - if ( forceNTLMv2 || (!targetInfo.isEmpty() && (KFromToLittleEndian(ch->flags) & Negotiate_Target_Info)) /* may support NTLMv2 */ ) { +// if ( forceNTLMv2 || (!targetInfo.isEmpty() && (KFromToLittleEndian(ch->flags) & Negotiate_Target_Info)) /* may support NTLMv2 */ ) { +// if ( KFromToLittleEndian(ch->flags) & Negotiate_NTLM ) { +// if ( targetInfo.isEmpty() ) return false; +// response = getNTLMv2Response( dom, user, password, targetInfo, ch->challengeData ); +// addBuf( rbuf, ((Auth*) rbuf.data())->ntResponse, response ); +// } else { +// if ( !forceNTLM ) { +// response = getLMv2Response( dom, user, password, ch->challengeData ); +// addBuf( rbuf, ((Auth*) rbuf.data())->lmResponse, response ); +// } else +// return false; +// } +// } else { //if no targetinfo structure and NTLMv2 or LMv2 not forced, try the older methods + if ( KFromToLittleEndian(ch->flags) & Negotiate_NTLM ) { - if ( targetInfo.isEmpty() ) return false; - response = getNTLMv2Response( dom, user, password, targetInfo, ch->challengeData ); - addBuf( rbuf, ((Auth*) rbuf.data())->ntResponse, response ); - } else { - if ( !forceNTLM ) { - response = getLMv2Response( dom, user, password, ch->challengeData ); - addBuf( rbuf, ((Auth*) rbuf.data())->lmResponse, response ); - } else - return false; - } - } else { //if no targetinfo structure and NTLMv2 or LMv2 not forced, try the older methods - if ( KFromToLittleEndian(ch->flags) & Negotiate_NTLM ) { response = getNTLMResponse( password, ch->challengeData ); addBuf( rbuf, ((Auth*) rbuf.data())->ntResponse, response ); } else { @@ -167,7 +168,7 @@ } else return false; } - } +// } if ( !dom.isEmpty() ) addString( rbuf, ((Auth*) rbuf.data())->domain, dom, unicode ); addString( rbuf, ((Auth*) rbuf.data())->user, user, unicode );
SVN commit 457395 by gyurco: Disable (NT)LMv2 until the issues are solved (forward port). CCBUG: 93454 M +18 -17 kntlm.cpp --- branches/KDE/3.5/kdelibs/kio/misc/kntlm/kntlm.cpp #457394:457395 @@ -17,8 +17,8 @@ You should have received a copy of the GNU Library General Public License along with this library; see the file COPYING.LIB. If not, write to - the Free Software Foundation, Inc., 51 Franklin Steet, Fifth Floor, - Boston, MA 02110-1301, USA. + the Free Software Foundation, Inc., 59 Temple Place - Suite 330, + Boston, MA 02111-1307, USA. */ #include <string.h> @@ -34,11 +34,11 @@ QString KNTLM::getString( const QByteArray &buf, const SecBuf &secbuf, bool unicode ) { + //watch for buffer overflows Q_UINT32 offset; Q_UINT16 len; offset = KFromToLittleEndian((Q_UINT32)secbuf.offset); len = KFromToLittleEndian(secbuf.len); - //watch for buffer overflows if ( offset > buf.size() || offset + len > buf.size() ) return QString::null; @@ -144,20 +144,21 @@ ((Auth*) rbuf.data())->flags = ch->flags; QByteArray targetInfo = getBuf( challenge, ch->targetInfo ); - if ( forceNTLMv2 || (!targetInfo.isEmpty() && (KFromToLittleEndian(ch->flags) & Negotiate_Target_Info)) /* may support NTLMv2 */ ) { +// if ( forceNTLMv2 || (!targetInfo.isEmpty() && (KFromToLittleEndian(ch->flags) & Negotiate_Target_Info)) /* may support NTLMv2 */ ) { +// if ( KFromToLittleEndian(ch->flags) & Negotiate_NTLM ) { +// if ( targetInfo.isEmpty() ) return false; +// response = getNTLMv2Response( dom, user, password, targetInfo, ch->challengeData ); +// addBuf( rbuf, ((Auth*) rbuf.data())->ntResponse, response ); +// } else { +// if ( !forceNTLM ) { +// response = getLMv2Response( dom, user, password, ch->challengeData ); +// addBuf( rbuf, ((Auth*) rbuf.data())->lmResponse, response ); +// } else +// return false; +// } +// } else { //if no targetinfo structure and NTLMv2 or LMv2 not forced, try the older methods + if ( KFromToLittleEndian(ch->flags) & Negotiate_NTLM ) { - if ( targetInfo.isEmpty() ) return false; - response = getNTLMv2Response( dom, user, password, targetInfo, ch->challengeData ); - addBuf( rbuf, ((Auth*) rbuf.data())->ntResponse, response ); - } else { - if ( !forceNTLM ) { - response = getLMv2Response( dom, user, password, ch->challengeData ); - addBuf( rbuf, ((Auth*) rbuf.data())->lmResponse, response ); - } else - return false; - } - } else { //if no targetinfo structure and NTLMv2 or LMv2 not forced, try the older methods - if ( KFromToLittleEndian(ch->flags) & Negotiate_NTLM ) { response = getNTLMResponse( password, ch->challengeData ); addBuf( rbuf, ((Auth*) rbuf.data())->ntResponse, response ); } else { @@ -167,7 +168,7 @@ } else return false; } - } +// } if ( !dom.isEmpty() ) addString( rbuf, ((Auth*) rbuf.data())->domain, dom, unicode ); addString( rbuf, ((Auth*) rbuf.data())->user, user, unicode );
Even with NTLM v2, it makes my Davenport webdav server crash (internal server error), while I have no problems with firefox...
Sorry, I wanted to say 'with NTLM v2 disabled'...
SVN commit 459419 by gyurco: Supply the workstation name for NTLM. CCBUG: 93454 M +4 -1 http.cc --- branches/KDE/3.5/kdelibs/kioslave/http/http.cc #459418:459419 @@ -5460,9 +5460,12 @@ if ( len > 4 ) { // create a response + char name[512]; + QString ws; + if ( gethostname( name, sizeof(name) ) == 0 ) ws = QString::fromLatin1( name ); QByteArray challenge; KCodecs::base64Decode( strauth.right( len - 5 ), challenge ); - KNTLM::getAuth( buf, challenge, user, passwd, domain, QString::null, false, false ); + KNTLM::getAuth( buf, challenge, user, passwd, domain, ws, false, false ); } else {