From 9ae0402318e96438535f6fd2bff244826395a3b7 Mon Sep 17 00:00:00 2001 From: Warren Date: Mon, 22 Jun 2026 04:34:15 +0800 Subject: [PATCH] Document NTLMv2+LDAP incompatibility and skip Phase 2.3 --- AGENTS.md | 28 +++++++++++++++++++++++++++- data/auth.sqlite | Bin 73728 -> 73728 bytes 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/AGENTS.md b/AGENTS.md index e551a09..27f98e7 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -4087,9 +4087,35 @@ cargo test -p markbase-core --lib --features smb-server,ldap # 355 passed, 0 fa --- +### NTLMv2 + LDAP 不兼容性分析 ⭐⭐⭐⭐⭐ + +**根本性协议限制**: + +| 认证方式 | 特性 | 问题 | +|---------|------|------| +| **NTLMv2** | 不发送密码,只发送 response(从密码计算) | Server 需要预先知道 NT hash | +| **LDAP bind** | 只能验证密码是否正确 | 无法返回密码或 NT hash | + +**NTLMv2 验证流程(MS-NLMP)**: +``` +1. Client: response_key_nt = HMAC_MD5(NT_hash, UPPER(user) + domain) +2. Client: NTProofStr = HMAC_MD5(response_key_nt, server_challenge + client_challenge) +3. Server: 需要 NT_hash 来验证 NTProofStr +``` + +**结论**: +- ❌ Server 无法从 NTLMv2 response 反推密码 +- ❌ LDAP bind 无法提供 NT hash +- ✅ SMB server 启动时预同步 LDAP 用户(需要提供密码) + +**替代方案**: +- 使用 Kerberos/SPNEGO(smb-server 不支持) +- 使用 LDAP password sync 工具(独立 CLI 命令) + +--- + ### 下一步 ⭐⭐⭐⭐⭐ -**Phase 2.3**:smb-server session_setup LDAP authentication integration(修改 session_setup.rs lookup function) **Phase 3**:Write/Read Cache (~150 lines) --- diff --git a/data/auth.sqlite b/data/auth.sqlite index 5e572b4598e29bbccc283cfbd549c1aa98c91004..b17290f7489bf2412e6611a3a930669194c3e21d 100644 GIT binary patch delta 292 zcmZoTz|wGlWr8&0iitALj4L)Kw97D7O+F~4FquR44x0y86Gwl|=2x<8j6il{U4QlD zZ*qT_Jh(Q0k$=uF`J0znmMJ$sH#M)MsFM8;C$lJ1N@{LC`>)Mk^gr+m{AOk5WMcor zz`z1#07dPwiu(We=W}O30$iIJ3z!v{-Pz7gWGv<*S?t~#Hcvg;r}MEkN*GXXI!}b3qRw3e%^&hu3-QG!aH6L delta 252 zcmZoTz|wGlWr8&0;)ycOjEgrWw97D-Pd+H6FquR44x8n#CXW8f&97wH7=i4@y8epE z-{k%n?B6$k(f`0N@Pn0^lZpK& z0|N_~0Ti{zD(e5=pU;f}32<#@EMQh(c4K=tnf*ZTW<`N0HYRzu$%4m4H?to9&%x}* zTR)lo0#HKXHP7byyRA&jZaixzvp)cdNb+o6`(~05qrzl||C_)r{r{hzal!U4{EYwk Kc^4qr!T