Skip Menu |

This queue is for tickets about the NTLM CPAN distribution.

Report information
The Basics
Id: 9521
Status: open
Priority: 0/
Queue: NTLM
People
Owner: Nobody in particular
Requestors: steve_burch [...] hotmail.com
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Jan 07 18:39:25 2005 Guest - Ticket created
Subject: Authentication to IIS 5.0 server fails repeatedly with 401 errors
I am running a Linux Red Hat 9 system with "perl, v5.8.0 built for i386-linux-thread-multi", and v1.02 of NTLM.pm. I'm attempting to authenticate to an IIS 5.0 W2K system. Luckily I found 1 newsgroup article which documented the fix in comp.lang.perl.misc in the thread "Authen::NTLM and MS04-011". See that thread for an abundance of detail. Within "sub ntlm" of NTLM.pm, change the line: $domain = substr($c_info->{buffer}, 0, $c_info->{domain}{len}); to $domain = substr($challenge, $c_info->{domain}{offset}, $c_info->{domain}{len}); Thanks for considering including this patch into the general distribution. It may save someone else considerable pain.
  Wed Mar 29 23:38:48 2006 Guest - Correspondence added
From: Jerry Gregoire
While the replacement code below fixes the package for those systems that have been patched it is not compatible with those that have not. A more elegant solution and one that works in both cases is to replace the line: $domain = substr($c_info->{buffer}, 0, $c_info->{domain}{len}); with: $domain = &unicode($domain); Enjoy. On Fri Jan 07 18:39:25 2005, guest wrote: Show quoted text
> I am running a Linux Red Hat 9 system with "perl, v5.8.0 built for > i386-linux-thread-multi", and v1.02 of NTLM.pm. I'm attempting to > authenticate to an IIS 5.0 W2K system. Luckily I found 1 newsgroup > article which documented the fix in comp.lang.perl.misc in the > thread "Authen::NTLM and MS04-011". See that thread for an > abundance of detail. > > Within "sub ntlm" of NTLM.pm, change the line: > $domain = substr($c_info->{buffer}, 0, $c_info->{domain}{len}); > to > $domain = substr($challenge, $c_info->{domain}{offset}, $c_info-
> >{domain}{len});
> > Thanks for considering including this patch into the general > distribution. It may save someone else considerable pain.
  Wed Mar 29 23:38:49 2006 The RT System itself - Status changed from 'new' to 'open'
  Fri Jul 07 15:38:13 2006 Guest - Correspondence added
From: Draelle
I've been banging my head against this bug for a while trying to figure out what was wrong. I found the first mentioned solution in the Perl newsgroups which fixed 1/2 the servers. The solution offered below with: $domain = &unicode($domain); worked perfectly for all the systems I was hitting. This should really be rolled into the module. -Draelle On Wed Mar 29 23:38:48 2006, guest wrote: Show quoted text
> While the replacement code below fixes the package for those systems > that have been patched it is not compatible with those that have not. > > A more elegant solution and one that works in both cases is to
replace Show quoted text
> the line: > $domain = substr($c_info->{buffer}, 0, $c_info->{domain}{len}); > with: > $domain = &unicode($domain); > > Enjoy. >
  Thu Sep 21 06:00:33 2006 nigelm [...] cpan.org - Correspondence added
From: nigelm [...] cpan.org
Patch to fix this attached (also fixes 11928 - doc bug)
# This is a patch for NTLM-1.02.orig to update it to NTLM-1.02 # # To apply this patch: # STEP 1: Chdir to the source directory. # STEP 2: Run the 'applypatch' program with this patch file as input. # # If you do not have 'applypatch', it is part of the 'makepatch' package # that you can fetch from the Comprehensive Perl Archive Network: # http://www.perl.com/CPAN/authors/Johan_Vromans/makepatch-x.y.tar.gz # In the above URL, 'x' should be 2 or higher. # # To apply this patch without the use of 'applypatch': # STEP 1: Chdir to the source directory. # STEP 2: Run the 'patch' program with this file as input. # #### End of Preamble #### #### Patch data follows #### diff -c 'NTLM-1.02.orig/NTLM.pm' 'NTLM-1.02/NTLM.pm' Index: ./NTLM.pm *** ./NTLM.pm Mon Oct 29 18:22:15 2001 --- ./NTLM.pm Mon Sep 18 14:03:16 2006 *************** *** 55,61 **** Returns the new username. Without an argument, this function returns the current username entry. ! =item ntlm_passwd() Set the password to use in the NTLM authentication messages. Returns the new password. Without an argument, this function --- 55,61 ---- Returns the new username. Without an argument, this function returns the current username entry. ! =item ntlm_password() Set the password to use in the NTLM authentication messages. Returns the new password. Without an argument, this function *************** *** 170,176 **** $challenge = decode_base64($challenge); $c_info = &decode_challenge($challenge); $u_user = &unicode($user); ! $domain = substr($c_info->{buffer}, 0, $c_info->{domain}{len}); $response = pack($msg3, $ident, 3); $lmResp = &lmEncrypt($c_info->{data}); $ntResp = &ntEncrypt($c_info->{data}); --- 170,176 ---- $challenge = decode_base64($challenge); $c_info = &decode_challenge($challenge); $u_user = &unicode($user); ! $domain = &unicode($domain); $response = pack($msg3, $ident, 3); $lmResp = &lmEncrypt($c_info->{data}); $ntResp = &ntEncrypt($c_info->{data}); diff -c 'NTLM-1.02.orig/t/ntlm.t' 'NTLM-1.02/t/ntlm.t' Index: ./t/ntlm.t *** ./t/ntlm.t Mon Oct 29 18:52:16 2001 --- ./t/ntlm.t Mon Sep 18 14:03:28 2006 *************** *** 23,29 **** my $passwd = "test"; my $msg1 = "TlRMTVNTUAABAAAAB7IAAAQABAAgAAAABAAEACQAAAB0ZXN0dGVzdA=="; my $challenge = "TlRMTVNTUAACAAAABAAEADAAAAAFggEAQUJDREVGR0gAAAAAAAAAAAAAAAAAAAAAdGVzdA=="; ! my $msg2 = "TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAQABABwAAAACAAIAHQAAAAIAAgAfAAAAAAAAABEAAAABYIBAJ7/TlMo4HLg0gOk6iKq4bv2vk35ozHEKKoqG8nTkQ5S82zyqpJzxPDJHUMynnKsBHRlc3R0AGUAcwB0AHQAZQBzAHQA"; # 2: username --- 23,29 ---- my $passwd = "test"; my $msg1 = "TlRMTVNTUAABAAAAB7IAAAQABAAgAAAABAAEACQAAAB0ZXN0dGVzdA=="; my $challenge = "TlRMTVNTUAACAAAABAAEADAAAAAFggEAQUJDREVGR0gAAAAAAAAAAAAAAAAAAAAAdGVzdA=="; ! my $msg2 = "TlRMTVNTUAADAAAAGAAYAEAAAAAYABgAWAAAAAgACABwAAAACAAIAHgAAAAIAAgAgAAAAAAAAABIAAAABYIBAJ7/TlMo4HLg0gOk6iKq4bv2vk35ozHEKKoqG8nTkQ5S82zyqpJzxPDJHUMynnKsBHQAZQBzAHQAdABlAHMAdAB0AGUAcwB0AA=="; # 2: username #### End of Patch data #### #### ApplyPatch data follows #### # Data version : 1.0 # Date generated : Mon Sep 18 14:03:32 2006 # Generated by : makepatch 2.00_07* # Recurse directories : Yes # Excluded files : (\A|/).*\~\Z # (\A|/).*\.a\Z # (\A|/).*\.bak\Z # (\A|/).*\.BAK\Z # (\A|/).*\.elc\Z # (\A|/).*\.exe\Z # (\A|/).*\.gz\Z # (\A|/).*\.ln\Z # (\A|/).*\.o\Z # (\A|/).*\.obj\Z # (\A|/).*\.olb\Z # (\A|/).*\.old\Z # (\A|/).*\.orig\Z # (\A|/).*\.rej\Z # (\A|/).*\.so\Z # (\A|/).*\.Z\Z # (\A|/)\.del\-.*\Z # (\A|/)\.make\.state\Z # (\A|/)\.nse_depinfo\Z # (\A|/)core\Z # (\A|/)tags\Z # (\A|/)TAGS\Z # p 'NTLM.pm' 6999 1158584596 0100644 # p 't/ntlm.t' 1973 1158584608 0100644 #### End of ApplyPatch data #### #### End of Patch kit [created: Mon Sep 18 14:03:32 2006] #### #### Patch checksum: 94 3718 55468 #### #### Checksum: 112 4402 46279 ####
  Sat Mar 15 00:10:04 2008 BUZZ [...] cpan.org - Correspondence added
resolved in 1.03
  Sat Mar 15 00:10:15 2008 BUZZ [...] cpan.org - Status changed from 'open' to 'resolved'
  Fri Aug 29 22:39:29 2008 lumchan [...] gmail.com - Correspondence added
From: lumchan [...] gmail.com
On Sat Mar 15 00:10:04 2008, BUZZ wrote: Show quoted text
> resolved in 1.03
I found that replacing the following: $domain = substr($challenge, $c_info->{domain}{offset}, $c_info->{domain}{len}); with: $domain = &unicode($domain); ..worked for my case. Is it possible to reconsider patching the current version to use the latter fix? (Or prepending a comment in the subroutine to indicate the latter method for others still encountering the "401 Authorization Required" error with the initial patch)
  Fri Aug 29 22:39:33 2008 The RT System itself - Status changed from 'resolved' to 'open'
  Mon Oct 06 13:38:18 2008 james [...] squish.net - Correspondence added
On Fri Aug 29 22:39:29 2008, meep wrote: Show quoted text
> On Sat Mar 15 00:10:04 2008, BUZZ wrote:
> > resolved in 1.03
> > I found that replacing the following: > $domain = substr($challenge, $c_info->{domain}{offset}, > $c_info->{domain}{len}); > > with: > $domain = &unicode($domain); > > ..worked for my case. > > Is it possible to reconsider patching the current version to use the > latter fix? (Or prepending a comment in the subroutine to indicate the > latter method for others still encountering the "401 Authorization > Required" error with the initial patch)
I'm using 1.05 and couldn't figure out why the server wouldn't let me in. I applied the unicode() fix as above and it now works perfectly. It turns out from the headers that the system is an IIS 6 server. Server: Microsoft-IIS/6.0 James
  Wed Apr 06 22:54:19 2011 NBEBOUT [...] cpan.org - Fixed in 1.06 added
  Wed Apr 06 22:54:24 2011 NBEBOUT [...] cpan.org - Status changed from 'open' to 'resolved'
  Wed Apr 06 22:54:46 2011 NBEBOUT [...] cpan.org - Correspondence added
RT-Send-CC: nigelm [...] cpan.org
Will be fixed in 1.07 which just got uploaded On Mon Oct 06 13:38:18 2008, SQUISH wrote: Show quoted text
> On Fri Aug 29 22:39:29 2008, meep wrote:
> > On Sat Mar 15 00:10:04 2008, BUZZ wrote:
> > > resolved in 1.03
> > > > I found that replacing the following: > > $domain = substr($challenge, $c_info->{domain}{offset}, > > $c_info->{domain}{len}); > > > > with: > > $domain = &unicode($domain); > > > > ..worked for my case. > > > > Is it possible to reconsider patching the current version to use the > > latter fix? (Or prepending a comment in the subroutine to indicate the > > latter method for others still encountering the "401 Authorization > > Required" error with the initial patch)
> > I'm using 1.05 and couldn't figure out why the server wouldn't let me > in. I applied the unicode() fix as above and it now works perfectly. > It turns out from the headers that the system is an IIS 6 server. > > Server: Microsoft-IIS/6.0 > > James
  Wed Apr 06 22:54:47 2011 The RT System itself - Status changed from 'resolved' to 'open'
  Wed Apr 06 22:55:07 2011 NBEBOUT [...] cpan.org - Status changed from 'open' to 'resolved'
  Wed Apr 06 23:28:46 2011 NBEBOUT [...] cpan.org - Status changed from 'resolved' to 'open'
  Wed Apr 06 23:28:46 2011 NBEBOUT [...] cpan.org - Fixed in 1.06 deleted
  Thu Jul 05 09:15:01 2012 formisc [...] mail.ru - Correspondence added
From: forsmbg [...] gmail.com
On Wed Apr 06 22:54:46 2011, NBEBOUT wrote: Show quoted text
> Will be fixed in 1.07 which just got uploaded
Looks like in 1.09 it still requires manual editing, a regression or something? In this piece the domain value is not set correctly and that causes auth failures (works fine with $domain = &unicode($domain);). Numbers are line numbers: 287 $c_info = &decode_challenge($challenge); 288 $u_user = &unicode($user); 289 if (!$ntlm_v2) { 290 $domain = &unicode($domain); 291 #$domain = substr($challenge, $c_info->{domain}{offset}, $c_info->{domain}{len}); <<< This one I had to comment out 292 $lmResp = &lmEncrypt($c_info->{data}); 293 $ntResp = &ntEncrypt($c_info->{data}); 294 $flags = pack($msg3_tl, $c_info->{flags}); 295 }
  Fri Aug 16 10:03:56 2013 https://www.google.com/accounts/o8/id?id=AItOawkWFjBn9IZ_iA0jHSJErLJuTsZxiXEQQSg - Correspondence added
On reading the code of Authen::NTLM 1.09 you find see that the checks on $ntlm_v2 in the ntlm function have three different outcomes: a) if evaluating to false (e.g. 0 or undef) b) if 1 c) if evaluating to true but not 1. E.g. 42. Furthermore it seems that c) above actually behaves like a) *except* that is uses '&unicode($domain)'. Don't ask why. So what worked for me was in my scripts to have: use Authen::NTLM 1.09; ntlmv2(42); This seems completely undocumented so be prepared that it may change in future versions. Hope this is useful to to anyone else experiencing the same. On Thu Jul 05 09:15:01 2012, Alex997 wrote: Show quoted text
> On Wed Apr 06 22:54:46 2011, NBEBOUT wrote:
> > Will be fixed in 1.07 which just got uploaded
> > Looks like in 1.09 it still requires manual editing, a regression or > something? > > In this piece the domain value is not set correctly and that causes auth > failures (works fine with $domain = &unicode($domain);). > > Numbers are line numbers: > > 287 $c_info = &decode_challenge($challenge); > 288 $u_user = &unicode($user); > 289 if (!$ntlm_v2) { > 290 $domain = &unicode($domain); > 291 #$domain = substr($challenge, $c_info->{domain}{offset}, > $c_info->{domain}{len}); <<< This one I had to comment out > 292 $lmResp = &lmEncrypt($c_info->{data}); > 293 $ntResp = &ntEncrypt($c_info->{data}); > 294 $flags = pack($msg3_tl, $c_info->{flags}); > 295 } > >