The Samba-Bugzilla – Attachment 12034 Details for
Bug 11849
CVE-2016-2110/NTLMSSP regression meta bug
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Possible patches for master
tmp.diff.txt (text/plain), 51.24 KB, created by
Stefan Metzmacher
on 2016-04-28 03:05:18 UTC
(
hide
)
Description:
Possible patches for master
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2016-04-28 03:05:18 UTC
Size:
51.24 KB
patch
obsolete
>From e580e26092266a7eb4d850feabb03a0b432db9b2 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 22 Apr 2016 16:18:24 +0200 >Subject: [PATCH 01/27] s4:gensec_tstream: allow wrapped messages up to a size > of 0xfffffff > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/auth/gensec/gensec_tstream.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > >diff --git a/source4/auth/gensec/gensec_tstream.c b/source4/auth/gensec/gensec_tstream.c >index 92f4fa6..c828170 100644 >--- a/source4/auth/gensec/gensec_tstream.c >+++ b/source4/auth/gensec/gensec_tstream.c >@@ -253,7 +253,11 @@ static int tstream_gensec_readv_next_vector(struct tstream_context *unix_stream, > > msg_len = RIVAL(state->wrapped.hdr, 0); > >- if (msg_len > 0x00FFFFFF) { >+ /* >+ * I got a Windows 2012R2 server responding with >+ * a message of 0x1b28a33. >+ */ >+ if (msg_len > 0x0FFFFFFF) { > errno = EMSGSIZE; > return -1; > } >-- >1.9.1 > > >From 99b756cb58a2da9e01bf4bd0de1c4b4f9104b73c Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 22 Apr 2016 16:31:55 +0200 >Subject: [PATCH 02/27] s3:libads/sasl: allow wrapped messages up to a size of > 0xfffffff > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/libads/sasl.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c >index b8d4527..10f63e8 100644 >--- a/source3/libads/sasl.c >+++ b/source3/libads/sasl.c >@@ -328,7 +328,7 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, > * arcfour-hmac-md5. > */ > ads->ldap.in.min_wrapped = MIN(ads->ldap.out.sig_size, 0x2C); >- ads->ldap.in.max_wrapped = max_wrapped; >+ ads->ldap.in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED; > status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security); > if (!ADS_ERR_OK(status)) { > DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n", >@@ -986,7 +986,7 @@ static ADS_STATUS ads_sasl_gssapi_do_bind(ADS_STRUCT *ads, const gss_name_t serv > > ads->ldap.out.sig_size = max_msg_size - ads->ldap.out.max_unwrapped; > ads->ldap.in.min_wrapped = 0x2C; /* taken from a capture with LDAP unbind */ >- ads->ldap.in.max_wrapped = max_msg_size; >+ ads->ldap.in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED; > status = ads_setup_sasl_wrapping(ads, &ads_sasl_gssapi_ops, context_handle); > if (!ADS_ERR_OK(status)) { > DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n", >-- >1.9.1 > > >From 9b871d6a4b1a134949d6be1c5dd1cc31faf414c6 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Sat, 23 Apr 2016 05:17:25 +0200 >Subject: [PATCH 03/27] auth/spnego: handle broken mechListMIC response from > Windows 2000 > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11870 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > auth/gensec/spnego.c | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) > >diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c >index 2922478..f82d5bb 100644 >--- a/auth/gensec/spnego.c >+++ b/auth/gensec/spnego.c >@@ -1078,6 +1078,24 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA > } > > if (spnego.negTokenTarg.mechListMIC.length > 0) { >+ DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC; >+ const DATA_BLOB *r = &spnego.negTokenTarg.responseToken; >+ >+ /* >+ * Windows 2000 has a bug, it repeats the >+ * responseToken in the mechListMIC field. >+ */ >+ if (m->length == r->length) { >+ int cmp; >+ >+ cmp = memcmp(m->data, r->data, m->length); >+ if (cmp == 0) { >+ data_blob_free(m); >+ } >+ } >+ } >+ >+ if (spnego.negTokenTarg.mechListMIC.length > 0) { > if (spnego_state->no_response_expected) { > spnego_state->needs_mic_check = true; > } >-- >1.9.1 > > >From 26678e3aeaba609142674a0745d0e8a90e502a80 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 20 Apr 2016 18:44:21 +0200 >Subject: [PATCH 04/27] auth/ntlmssp: don't require any flags in the > ccache_resume code > >ntlmssp_client_challenge() already checks for required flags >before asking winbindd. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > auth/ntlmssp/ntlmssp_client.c | 7 +------ > 1 file changed, 1 insertion(+), 6 deletions(-) > >diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c >index b419615..8b367fc 100644 >--- a/auth/ntlmssp/ntlmssp_client.c >+++ b/auth/ntlmssp/ntlmssp_client.c >@@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security, > > if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) { > gensec_security->want_features |= GENSEC_FEATURE_SIGN; >- >- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; > } > > if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { > gensec_security->want_features |= GENSEC_FEATURE_SEAL; >- >- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; >- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; > } > >- ntlmssp_state->neg_flags |= ntlmssp_state->required_flags; > ntlmssp_state->conf_flags = ntlmssp_state->neg_flags; >+ ntlmssp_state->required_flags = 0; > > if (DEBUGLEVEL >= 10) { > struct NEGOTIATE_MESSAGE *negotiate = talloc( >-- >1.9.1 > > >From 407f43f4008e18b06c545f5fa6544c0531457bc6 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 20 Apr 2016 18:44:21 +0200 >Subject: [PATCH 05/27] auth/ntlmssp: don't require NTLMSSP_SIGN for smb > connections > >Enforcement of SMB signing is done at the SMB layer. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > auth/ntlmssp/ntlmssp_client.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > >diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c >index 8b367fc..b423f20 100644 >--- a/auth/ntlmssp/ntlmssp_client.c >+++ b/auth/ntlmssp/ntlmssp_client.c >@@ -843,8 +843,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) > * Without this, Windows will not create the master key > * that it thinks is only used for NTLMSSP signing and > * sealing. (It is actually pulled out and used directly) >+ * >+ * We don't require this here as some servers (e.g. NetAPP) >+ * doesn't support this. > */ >- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; >+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; > } > if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { > ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; >-- >1.9.1 > > >From e5267f4d14c58a966edad26aea3b9b81ecfbcdf9 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 19 Apr 2016 07:31:50 +0200 >Subject: [PATCH 06/27] s3:libsmb: use password = NULL for anonymous > connections > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11858 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/libsmb/cliconnect.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index 2c351dd..b8a8c7a 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -1325,6 +1325,17 @@ static struct tevent_req *cli_session_setup_gensec_send( > talloc_set_destructor( > state, cli_session_setup_gensec_state_destructor); > >+ if (user == NULL || strlen(user) == 0) { >+ if (pass != NULL && strlen(pass) == 0) { >+ /* >+ * some callers pass "" as no password >+ * >+ * gensec only handles NULL as no password. >+ */ >+ pass = NULL; >+ } >+ } >+ > status = auth_generic_client_prepare(state, &state->auth_generic); > if (tevent_req_nterror(req, status)) { > return tevent_req_post(req, ev); >-- >1.9.1 > > >From 04614f32842204d38db6eef4f7cee1b32baf9f03 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Wed, 20 Apr 2016 20:09:53 +0200 >Subject: [PATCH 07/27] libcli/smb: fix NULL pointer derreference in > smbXcli_session_is_authenticated(). > >Guenther > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 > >Signed-off-by: Guenther Deschner <gd@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >--- > libcli/smb/smbXcli_base.c | 4 ++++ > 1 file changed, 4 insertions(+) > >diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c >index 6a71766..e502dc8 100644 >--- a/libcli/smb/smbXcli_base.c >+++ b/libcli/smb/smbXcli_base.c >@@ -5305,6 +5305,10 @@ bool smbXcli_session_is_authenticated(struct smbXcli_session *session) > { > const DATA_BLOB *application_key; > >+ if (session == NULL) { >+ return false; >+ } >+ > if (session->conn == NULL) { > return false; > } >-- >1.9.1 > > >From e7a198be7aa752aca6994f8e077205738a3d484e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 18 Apr 2016 17:33:11 +0200 >Subject: [PATCH 08/27] libcli/smb: add smb1cli_session_set_action() helper > function > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > libcli/smb/smbXcli_base.c | 7 +++++++ > libcli/smb/smbXcli_base.h | 2 ++ > 2 files changed, 9 insertions(+) > >diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c >index e502dc8..d8b85c8 100644 >--- a/libcli/smb/smbXcli_base.c >+++ b/libcli/smb/smbXcli_base.c >@@ -167,6 +167,7 @@ struct smbXcli_session { > > struct { > uint16_t session_id; >+ uint16_t action; > DATA_BLOB application_key; > bool protected_key; > } smb1; >@@ -5376,6 +5377,12 @@ void smb1cli_session_set_id(struct smbXcli_session *session, > session->smb1.session_id = session_id; > } > >+void smb1cli_session_set_action(struct smbXcli_session *session, >+ uint16_t action) >+{ >+ session->smb1.action = action; >+} >+ > NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session, > const DATA_BLOB _session_key) > { >diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h >index ffccd7e..8eb482a 100644 >--- a/libcli/smb/smbXcli_base.h >+++ b/libcli/smb/smbXcli_base.h >@@ -398,6 +398,8 @@ void smbXcli_session_set_disconnect_expired(struct smbXcli_session *session); > uint16_t smb1cli_session_current_id(struct smbXcli_session* session); > void smb1cli_session_set_id(struct smbXcli_session* session, > uint16_t session_id); >+void smb1cli_session_set_action(struct smbXcli_session *session, >+ uint16_t action); > NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session, > const DATA_BLOB _session_key); > NTSTATUS smb1cli_session_protect_session_key(struct smbXcli_session *session); >-- >1.9.1 > > >From 9b572718f6f4959b34883c0c694c1a14c9256a79 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 18 Apr 2016 17:34:21 +0200 >Subject: [PATCH 09/27] libcli/smb: add SMB1 session setup action flags > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > libcli/smb/smb_constants.h | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h >index 57915d9..e03e843 100644 >--- a/libcli/smb/smb_constants.h >+++ b/libcli/smb/smb_constants.h >@@ -278,6 +278,12 @@ enum smb_signing_setting { > CAP_LARGE_WRITEX | \ > 0) > >+/* >+ * The action flags in the SMB session setup response >+ */ >+#define SMB_SETUP_GUEST 0x0001 >+#define SMB_SETUP_USE_LANMAN_KEY 0x0002 >+ > /* Client-side offline caching policy types */ > enum csc_policy { > CSC_POLICY_MANUAL=0, >-- >1.9.1 > > >From 3579686412dc29a1ad93e7c29702347ccc8be8dd Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 18 Apr 2016 17:38:46 +0200 >Subject: [PATCH 10/27] libcli/smb: add smbXcli_session_is_guest() helper > function > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > libcli/smb/smbXcli_base.c | 24 ++++++++++++++++++++++++ > libcli/smb/smbXcli_base.h | 1 + > 2 files changed, 25 insertions(+) > >diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c >index d8b85c8..4332374 100644 >--- a/libcli/smb/smbXcli_base.c >+++ b/libcli/smb/smbXcli_base.c >@@ -5302,6 +5302,30 @@ struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx, > return session; > } > >+bool smbXcli_session_is_guest(struct smbXcli_session *session) >+{ >+ if (session == NULL) { >+ return false; >+ } >+ >+ if (session->conn == NULL) { >+ return false; >+ } >+ >+ if (session->conn->protocol >= PROTOCOL_SMB2_02) { >+ if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) { >+ return true; >+ } >+ return false; >+ } >+ >+ if (session->smb1.action & SMB_SETUP_GUEST) { >+ return true; >+ } >+ >+ return false; >+} >+ > bool smbXcli_session_is_authenticated(struct smbXcli_session *session) > { > const DATA_BLOB *application_key; >diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h >index 8eb482a..16c8848 100644 >--- a/libcli/smb/smbXcli_base.h >+++ b/libcli/smb/smbXcli_base.h >@@ -390,6 +390,7 @@ struct smbXcli_session *smbXcli_session_create(TALLOC_CTX *mem_ctx, > struct smbXcli_conn *conn); > struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx, > struct smbXcli_session *src); >+bool smbXcli_session_is_guest(struct smbXcli_session *session); > bool smbXcli_session_is_authenticated(struct smbXcli_session *session); > NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session, > TALLOC_CTX *mem_ctx, >-- >1.9.1 > > >From fcf499ae3b4fc8e85a4fd5f8e6f891d7a11de15b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 19 Apr 2016 07:19:19 +0200 >Subject: [PATCH 11/27] s3:libsmb: record the session setup action flags > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/libsmb/cliconnect.c | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index b8a8c7a..48f499c 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -242,6 +242,7 @@ static void cli_session_setup_lanman2_done(struct tevent_req *subreq) > p = bytes; > > cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID)); >+ smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0)); > > status = smb_bytes_talloc_string(cli, > inhdr, >@@ -445,6 +446,7 @@ static void cli_session_setup_guest_done(struct tevent_req *subreq) > p = bytes; > > cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID)); >+ smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0)); > > status = smb_bytes_talloc_string(cli, > inhdr, >@@ -604,6 +606,7 @@ static void cli_session_setup_plain_done(struct tevent_req *subreq) > p = bytes; > > cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID)); >+ smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0)); > > status = smb_bytes_talloc_string(cli, > inhdr, >@@ -915,6 +918,7 @@ static void cli_session_setup_nt1_done(struct tevent_req *subreq) > p = bytes; > > cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID)); >+ smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0)); > > status = smb_bytes_talloc_string(cli, > inhdr, >@@ -1160,6 +1164,7 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq) > state->inbuf = in; > inhdr = in + NBT_HDR_SIZE; > cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID)); >+ smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0)); > > blob_length = SVAL(vwv+3, 0); > if (blob_length > num_bytes) { >-- >1.9.1 > > >From 9a30793bcdf9d01f70b150a3be960de6959adee4 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 19 Apr 2016 07:20:28 +0200 >Subject: [PATCH 12/27] s3:libsmb: don't finish the gensec handshake for guest > logins > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/libsmb/cliconnect.c | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index 48f499c..b984087 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -1572,6 +1572,27 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq) > } > > if (NT_STATUS_IS_OK(status)) { >+ struct smbXcli_session *session = NULL; >+ bool is_guest = false; >+ >+ if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) { >+ session = state->cli->smb2.session; >+ } else { >+ session = state->cli->smb1.session; >+ } >+ >+ is_guest = smbXcli_session_is_guest(session); >+ if (is_guest) { >+ /* >+ * We can't finish the gensec handshake, we don't >+ * have a negotiated session key. >+ * >+ * So just pretend we are completely done. >+ */ >+ state->blob_in = data_blob_null; >+ state->local_ready = true; >+ } >+ > state->remote_ready = true; > } > >-- >1.9.1 > > >From 705a4d907c1b259f83533a096486136e77afd5c8 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 19 Apr 2016 07:33:03 +0200 >Subject: [PATCH 13/27] s3:libsmb: use anonymous authentication via spnego if > possible > >This makes the authentication consistent against between >SMB1 with CAP_EXTENDED_SECURITY (introduced in Windows 2000) >and SNB2. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/libsmb/cliconnect.c | 55 ++++++++++++++++++++++++--------------------- > 1 file changed, 29 insertions(+), 26 deletions(-) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index b984087..ea92c8f 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -1643,6 +1643,19 @@ static void cli_session_setup_gensec_ready(struct tevent_req *req) > } > } > >+ if (state->is_anonymous) { >+ /* >+ * Windows server does not set the >+ * SMB2_SESSION_FLAG_IS_NULL flag. >+ * >+ * This fix makes sure we do not try >+ * to verify a signature on the final >+ * session setup response. >+ */ >+ tevent_req_done(req); >+ return; >+ } >+ > status = gensec_session_key(state->auth_generic->gensec_security, > state, &state->session_key); > if (tevent_req_nterror(req, status)) { >@@ -1652,20 +1665,6 @@ static void cli_session_setup_gensec_ready(struct tevent_req *req) > if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) { > struct smbXcli_session *session = state->cli->smb2.session; > >- if (state->is_anonymous) { >- /* >- * Windows server does not set the >- * SMB2_SESSION_FLAG_IS_GUEST nor >- * SMB2_SESSION_FLAG_IS_NULL flag. >- * >- * This fix makes sure we do not try >- * to verify a signature on the final >- * session setup response. >- */ >- tevent_req_done(req); >- return; >- } >- > status = smb2cli_session_set_session_key(session, > state->session_key, > state->recv_iov); >@@ -2095,6 +2094,21 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx, > return req; > } > >+ /* >+ * if the server supports extended security then use SPNEGO >+ * even for anonymous connections. >+ */ >+ if (smb1cli_conn_capabilities(cli->conn) & CAP_EXTENDED_SECURITY) { >+ subreq = cli_session_setup_spnego_send( >+ state, ev, cli, user, pass, workgroup); >+ if (tevent_req_nomem(subreq, req)) { >+ return tevent_req_post(req, ev); >+ } >+ tevent_req_set_callback(subreq, cli_session_setup_done_spnego, >+ req); >+ return req; >+ } >+ > /* if no user is supplied then we have to do an anonymous connection. > passwords are ignored */ > >@@ -2143,18 +2157,7 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx, > return req; > } > >- /* if the server supports extended security then use SPNEGO */ >- >- if (smb1cli_conn_capabilities(cli->conn) & CAP_EXTENDED_SECURITY) { >- subreq = cli_session_setup_spnego_send( >- state, ev, cli, user, pass, workgroup); >- if (tevent_req_nomem(subreq, req)) { >- return tevent_req_post(req, ev); >- } >- tevent_req_set_callback(subreq, cli_session_setup_done_spnego, >- req); >- return req; >- } else { >+ { > /* otherwise do a NT1 style session setup */ > if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) { > /* >-- >1.9.1 > > >From 4fdb8c1be71de31a80e6cd4b15df075e7ce71b7d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 22 Apr 2016 10:04:38 +0200 >Subject: [PATCH 14/27] auth/spnego: only try to verify the mechListMic if > signing was negotiated. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > auth/gensec/spnego.c | 18 ++++++++++-------- > 1 file changed, 10 insertions(+), 8 deletions(-) > >diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c >index f82d5bb..1323bfe 100644 >--- a/auth/gensec/spnego.c >+++ b/auth/gensec/spnego.c >@@ -885,6 +885,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA > case SPNEGO_SERVER_TARG: > { > NTSTATUS nt_status; >+ bool have_sign = true; > bool new_spnego = false; > > if (!in.length) { >@@ -947,18 +948,20 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA > goto server_response; > } > >+ have_sign = gensec_have_feature(spnego_state->sub_sec_security, >+ GENSEC_FEATURE_SIGN); > new_spnego = gensec_have_feature(spnego_state->sub_sec_security, > GENSEC_FEATURE_NEW_SPNEGO); > if (spnego.negTokenTarg.mechListMIC.length > 0) { > new_spnego = true; > } > >- if (new_spnego) { >+ if (have_sign && new_spnego) { > spnego_state->needs_mic_check = true; > spnego_state->needs_mic_sign = true; > } > >- if (spnego.negTokenTarg.mechListMIC.length > 0) { >+ if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) { > nt_status = gensec_check_packet(spnego_state->sub_sec_security, > spnego_state->mech_types.data, > spnego_state->mech_types.length, >@@ -1142,8 +1145,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA > if (spnego_state->no_response_expected && > !spnego_state->done_mic_check) > { >+ bool have_sign = true; > bool new_spnego = false; > >+ have_sign = gensec_have_feature(spnego_state->sub_sec_security, >+ GENSEC_FEATURE_SIGN); > new_spnego = gensec_have_feature(spnego_state->sub_sec_security, > GENSEC_FEATURE_NEW_SPNEGO); > >@@ -1170,16 +1176,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA > } > > if (spnego_state->mic_requested) { >- bool sign; >- >- sign = gensec_have_feature(spnego_state->sub_sec_security, >- GENSEC_FEATURE_SIGN); >- if (sign) { >+ if (have_sign) { > new_spnego = true; > } > } > >- if (new_spnego) { >+ if (have_sign && new_spnego) { > spnego_state->needs_mic_check = true; > spnego_state->needs_mic_sign = true; > } >-- >1.9.1 > > >From 7bcc6529a4e1b790052c060c22b650f73e2b5c0c Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 27 Apr 2016 01:44:56 +0200 >Subject: [PATCH 15/27] s4:auth_anonymous: anonymous authentication doesn't > allow a password > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/auth/ntlm/auth_anonymous.c | 30 ++++++++++++++++++++++++++++++ > 1 file changed, 30 insertions(+) > >diff --git a/source4/auth/ntlm/auth_anonymous.c b/source4/auth/ntlm/auth_anonymous.c >index 28cbfe8..ab1aac2 100644 >--- a/source4/auth/ntlm/auth_anonymous.c >+++ b/source4/auth/ntlm/auth_anonymous.c >@@ -41,6 +41,36 @@ static NTSTATUS anonymous_want_check(struct auth_method_context *ctx, > return NT_STATUS_NOT_IMPLEMENTED; > } > >+ switch (user_info->password_state) { >+ case AUTH_PASSWORD_PLAIN: >+ if (user_info->password.plaintext != NULL && >+ strlen(user_info->password.plaintext) > 0) >+ { >+ return NT_STATUS_NOT_IMPLEMENTED; >+ } >+ break; >+ case AUTH_PASSWORD_HASH: >+ if (user_info->password.hash.lanman != NULL) { >+ return NT_STATUS_NOT_IMPLEMENTED; >+ } >+ if (user_info->password.hash.nt != NULL) { >+ return NT_STATUS_NOT_IMPLEMENTED; >+ } >+ break; >+ case AUTH_PASSWORD_RESPONSE: >+ if (user_info->password.response.lanman.length == 1) { >+ if (user_info->password.response.lanman.data[0] != '\0') { >+ return NT_STATUS_NOT_IMPLEMENTED; >+ } >+ } else if (user_info->password.response.lanman.length > 1) { >+ return NT_STATUS_NOT_IMPLEMENTED; >+ } >+ if (user_info->password.response.nt.length > 0) { >+ return NT_STATUS_NOT_IMPLEMENTED; >+ } >+ break; >+ } >+ > return NT_STATUS_OK; > } > >-- >1.9.1 > > >From f24612169f086b0a83bc187b0f0b61a70e979230 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 27 Apr 2016 01:48:32 +0200 >Subject: [PATCH 16/27] s3:auth_builtin: anonymous authentication doesn't allow > a password > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/auth/auth_builtin.c | 47 ++++++++++++++++++++++++++++++++++++++------- > 1 file changed, 40 insertions(+), 7 deletions(-) > >diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c >index dce58bf..7480799 100644 >--- a/source3/auth/auth_builtin.c >+++ b/source3/auth/auth_builtin.c >@@ -38,17 +38,50 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, > const struct auth_usersupplied_info *user_info, > struct auth_serversupplied_info **server_info) > { >- /* mark this as 'not for me' */ >- NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; >- > DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name)); > >- if (!(user_info->mapped.account_name >- && *user_info->mapped.account_name)) { >- nt_status = make_server_info_guest(NULL, server_info); >+ if (user_info->mapped.account_name && *user_info->mapped.account_name) { >+ /* mark this as 'not for me' */ >+ return NT_STATUS_NOT_IMPLEMENTED; > } > >- return nt_status; >+ switch (user_info->password_state) { >+ case AUTH_PASSWORD_PLAIN: >+ if (user_info->password.plaintext != NULL && >+ strlen(user_info->password.plaintext) > 0) >+ { >+ /* mark this as 'not for me' */ >+ return NT_STATUS_NOT_IMPLEMENTED; >+ } >+ break; >+ case AUTH_PASSWORD_HASH: >+ if (user_info->password.hash.lanman != NULL) { >+ /* mark this as 'not for me' */ >+ return NT_STATUS_NOT_IMPLEMENTED; >+ } >+ if (user_info->password.hash.nt != NULL) { >+ /* mark this as 'not for me' */ >+ return NT_STATUS_NOT_IMPLEMENTED; >+ } >+ break; >+ case AUTH_PASSWORD_RESPONSE: >+ if (user_info->password.response.lanman.length == 1) { >+ if (user_info->password.response.lanman.data[0] != '\0') { >+ /* mark this as 'not for me' */ >+ return NT_STATUS_NOT_IMPLEMENTED; >+ } >+ } else if (user_info->password.response.lanman.length > 1) { >+ /* mark this as 'not for me' */ >+ return NT_STATUS_NOT_IMPLEMENTED; >+ } >+ if (user_info->password.response.nt.length > 0) { >+ /* mark this as 'not for me' */ >+ return NT_STATUS_NOT_IMPLEMENTED; >+ } >+ break; >+ } >+ >+ return make_server_info_guest(NULL, server_info); > } > > /* Guest modules initialisation */ >-- >1.9.1 > > >From dab10fb41411239af7b013226e1638e65f83f9da Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 20 Apr 2016 16:29:42 +0200 >Subject: [PATCH 17/27] libcli/security: implement SECURITY_GUEST > >SECURITY_GUEST is not exactly the same as SECURITY_ANONYMOUS. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > libcli/security/security_token.c | 5 +++++ > libcli/security/security_token.h | 2 ++ > libcli/security/session.c | 4 ++++ > libcli/security/session.h | 1 + > 4 files changed, 12 insertions(+) > >diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c >index 6812d42..2e5a87b 100644 >--- a/libcli/security/security_token.c >+++ b/libcli/security/security_token.c >@@ -130,6 +130,11 @@ bool security_token_has_sid_string(const struct security_token *token, const cha > return ret; > } > >+bool security_token_has_builtin_guests(const struct security_token *token) >+{ >+ return security_token_has_sid(token, &global_sid_Builtin_Guests); >+} >+ > bool security_token_has_builtin_administrators(const struct security_token *token) > { > return security_token_has_sid(token, &global_sid_Builtin_Administrators); >diff --git a/libcli/security/security_token.h b/libcli/security/security_token.h >index b8ca990..5c5b30b 100644 >--- a/libcli/security/security_token.h >+++ b/libcli/security/security_token.h >@@ -51,6 +51,8 @@ bool security_token_has_sid(const struct security_token *token, const struct dom > > bool security_token_has_sid_string(const struct security_token *token, const char *sid_string); > >+bool security_token_has_builtin_guests(const struct security_token *token); >+ > bool security_token_has_builtin_administrators(const struct security_token *token); > > bool security_token_has_nt_authenticated_users(const struct security_token *token); >diff --git a/libcli/security/session.c b/libcli/security/session.c >index 0c32556..0fbb87d 100644 >--- a/libcli/security/session.c >+++ b/libcli/security/session.c >@@ -38,6 +38,10 @@ enum security_user_level security_session_user_level(struct auth_session_info *s > return SECURITY_ANONYMOUS; > } > >+ if (security_token_has_builtin_guests(session_info->security_token)) { >+ return SECURITY_GUEST; >+ } >+ > if (security_token_has_builtin_administrators(session_info->security_token)) { > return SECURITY_ADMINISTRATOR; > } >diff --git a/libcli/security/session.h b/libcli/security/session.h >index ee9187d..31e950e 100644 >--- a/libcli/security/session.h >+++ b/libcli/security/session.h >@@ -24,6 +24,7 @@ > > enum security_user_level { > SECURITY_ANONYMOUS = 0, >+ SECURITY_GUEST = 1, > SECURITY_USER = 10, > SECURITY_RO_DOMAIN_CONTROLLER = 20, > SECURITY_DOMAIN_CONTROLLER = 30, >-- >1.9.1 > > >From 199f5248cb572b76bafe7930d0a4b0a930ba7478 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 18 Apr 2016 17:36:56 +0200 >Subject: [PATCH 18/27] s3:smbd: make use SMB_SETUP_GUEST constant > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/smbd/sesssetup.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > >diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c >index b7fdd00..88cbf97 100644 >--- a/source3/smbd/sesssetup.c >+++ b/source3/smbd/sesssetup.c >@@ -294,7 +294,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) > } > > if (security_session_user_level(session_info, NULL) < SECURITY_USER) { >- action = 1; >+ action |= SMB_SETUP_GUEST; > } > > if (session_info->session_key.length > 0) { >@@ -420,7 +420,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) > } > > if (security_session_user_level(session_info, NULL) < SECURITY_USER) { >- action = 1; >+ action |= SMB_SETUP_GUEST; > } > > /* >@@ -949,7 +949,7 @@ void reply_sesssetup_and_X(struct smb_request *req) > } > > if (security_session_user_level(session_info, NULL) < SECURITY_USER) { >- action = 1; >+ action |= SMB_SETUP_GUEST; > } > > /* register the name and uid as being validated, so further connections >-- >1.9.1 > > >From 7c868e1290398e89c6c840fb7e5d12796f9e266f Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 20 Apr 2016 16:34:28 +0200 >Subject: [PATCH 19/27] s3:smbd: only mark real guest sessions with the GUEST > flag > >Real anonymous sessions don't get it. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/smbd/sesssetup.c | 6 +++--- > source3/smbd/smb2_sesssetup.c | 7 ++++--- > 2 files changed, 7 insertions(+), 6 deletions(-) > >diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c >index 88cbf97..62dc49e 100644 >--- a/source3/smbd/sesssetup.c >+++ b/source3/smbd/sesssetup.c >@@ -293,7 +293,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) > return; > } > >- if (security_session_user_level(session_info, NULL) < SECURITY_USER) { >+ if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) { > action |= SMB_SETUP_GUEST; > } > >@@ -419,7 +419,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) > return; > } > >- if (security_session_user_level(session_info, NULL) < SECURITY_USER) { >+ if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) { > action |= SMB_SETUP_GUEST; > } > >@@ -948,7 +948,7 @@ void reply_sesssetup_and_X(struct smb_request *req) > /* perhaps grab OS version here?? */ > } > >- if (security_session_user_level(session_info, NULL) < SECURITY_USER) { >+ if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) { > action |= SMB_SETUP_GUEST; > } > >diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c >index 78bda7b..821024f 100644 >--- a/source3/smbd/smb2_sesssetup.c >+++ b/source3/smbd/smb2_sesssetup.c >@@ -278,11 +278,12 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, > } > > if (security_session_user_level(session_info, NULL) < SECURITY_USER) { >- /* we map anonymous to guest internally */ >- *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST; >- *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL; >+ if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) { >+ *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST; >+ } > /* force no signing */ > x->global->signing_flags &= ~SMBXSRV_SIGNING_REQUIRED; >+ /* we map anonymous to guest internally */ > guest = true; > } > >-- >1.9.1 > > >From f6f8e7b792a686488792db5f1792807109833edb Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 20 Apr 2016 18:27:34 +0200 >Subject: [PATCH 20/27] auth/ntlmssp: do map to guest checking after the > authentication > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > auth/ntlmssp/gensec_ntlmssp_server.c | 16 +-------------- > auth/ntlmssp/ntlmssp_server.c | 40 ++++++++++++++++++++++++++++++++++++ > 2 files changed, 41 insertions(+), 15 deletions(-) > >diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c >index ca19863..120c6e0 100644 >--- a/auth/ntlmssp/gensec_ntlmssp_server.c >+++ b/auth/ntlmssp/gensec_ntlmssp_server.c >@@ -131,21 +131,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) > ntlmssp_state->allow_lm_key = true; > } > >- if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) { >- /* >- * map to guest is not secure anyway, so >- * try to make it work and don't try to >- * negotiate new_spnego and MIC checking >- */ >- ntlmssp_state->force_old_spnego = true; >- } >- >- if (role == ROLE_ACTIVE_DIRECTORY_DC) { >- /* >- * map to guest is not supported on an AD DC. >- */ >- ntlmssp_state->force_old_spnego = false; >- } >+ ntlmssp_state->force_old_spnego = false; > > ntlmssp_state->neg_flags = > NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION; >diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c >index 17d5ade..ddee875 100644 >--- a/auth/ntlmssp/ntlmssp_server.c >+++ b/auth/ntlmssp/ntlmssp_server.c >@@ -31,6 +31,9 @@ > #include "auth/gensec/gensec.h" > #include "auth/gensec/gensec_internal.h" > #include "auth/common_auth.h" >+#include "param/param.h" >+#include "param/loadparm.h" >+#include "libcli/security/session.h" > > /** > * Determine correct target name flags for reply, given server role >@@ -700,6 +703,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec > struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; > struct auth4_context *auth_context = gensec_security->auth_context; > NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; >+ struct auth_session_info *session_info = NULL; > struct auth_usersupplied_info *user_info; > > user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info); >@@ -736,6 +740,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec > > NT_STATUS_NOT_OK_RETURN(nt_status); > >+ if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST >+ && auth_context->generate_session_info != NULL) >+ { >+ NTSTATUS tmp_status; >+ >+ /* >+ * We need to check if the auth is anonymous or mapped to guest >+ */ >+ tmp_status = auth_context->generate_session_info(auth_context, mem_ctx, >+ gensec_ntlmssp->server_returned_info, >+ gensec_ntlmssp->ntlmssp_state->user, >+ AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, >+ &session_info); >+ if (!NT_STATUS_IS_OK(tmp_status)) { >+ /* >+ * We don't care about failures, >+ * the worst result is that we try MIC checking >+ * for a map to guest authentication. >+ */ >+ TALLOC_FREE(session_info); >+ } >+ } >+ >+ if (session_info != NULL) { >+ if (security_session_user_level(session_info, NULL) < SECURITY_USER) { >+ /* >+ * Anonymous and GUEST are not secure anyway. >+ * avoid new_spnego and MIC checking. >+ */ >+ ntlmssp_state->new_spnego = false; >+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN; >+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL; >+ } >+ TALLOC_FREE(session_info); >+ } >+ > talloc_steal(mem_ctx, user_session_key->data); > talloc_steal(mem_ctx, lm_session_key->data); > >-- >1.9.1 > > >From d81adfca229ac977c40e405ea3ecdd43e04ded1a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 25 Apr 2016 14:45:55 +0200 >Subject: [PATCH 21/27] auth/spnego: add spnego:simulate_w2k option for testing > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > auth/gensec/spnego.c | 28 +++++++++++++++++++++++++++- > 1 file changed, 27 insertions(+), 1 deletion(-) > >diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c >index 1323bfe..0b49b1a 100644 >--- a/auth/gensec/spnego.c >+++ b/auth/gensec/spnego.c >@@ -59,6 +59,8 @@ struct spnego_state { > bool needs_mic_check; > bool done_mic_check; > >+ bool simulate_w2k; >+ > /* > * The following is used to implement > * the update token fragmentation >@@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi > spnego_state->out_max_length = gensec_max_update_size(gensec_security); > spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED; > >+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, >+ "spnego", "simulate_w2k", false); >+ > gensec_security->private_data = spnego_state; > return NT_STATUS_OK; > } >@@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi > spnego_state->out_max_length = gensec_max_update_size(gensec_security); > spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED; > >+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, >+ "spnego", "simulate_w2k", false); >+ > gensec_security->private_data = spnego_state; > return NT_STATUS_OK; > } >@@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA > spnego.negTokenInit.mechToken, > &unwrapped_out); > >+ if (spnego_state->simulate_w2k) { >+ /* >+ * Windows 2000 returns the unwrapped token >+ * also in the mech_list_mic field. >+ * >+ * In order to verify our client code, >+ * we need a way to have a server with this >+ * broken behaviour >+ */ >+ mech_list_mic = unwrapped_out; >+ } >+ > nt_status = gensec_spnego_server_negTokenTarg(spnego_state, > out_mem_ctx, > nt_status, > unwrapped_out, >- null_data_blob, >+ mech_list_mic, > out); > > spnego_free_data(&spnego); >@@ -950,6 +970,9 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA > > have_sign = gensec_have_feature(spnego_state->sub_sec_security, > GENSEC_FEATURE_SIGN); >+ if (spnego_state->simulate_w2k) { >+ have_sign = false; >+ } > new_spnego = gensec_have_feature(spnego_state->sub_sec_security, > GENSEC_FEATURE_NEW_SPNEGO); > if (spnego.negTokenTarg.mechListMIC.length > 0) { >@@ -1150,6 +1173,9 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA > > have_sign = gensec_have_feature(spnego_state->sub_sec_security, > GENSEC_FEATURE_SIGN); >+ if (spnego_state->simulate_w2k) { >+ have_sign = false; >+ } > new_spnego = gensec_have_feature(spnego_state->sub_sec_security, > GENSEC_FEATURE_NEW_SPNEGO); > >-- >1.9.1 > > >From 7d4bc76496f946b4aa9507dbe2ed76352ec05379 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 25 Apr 2016 15:58:27 +0200 >Subject: [PATCH 22/27] auth/ntlmssp: add > ntlmssp_{client,server}:force_old_spnego option for testing > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > auth/ntlmssp/gensec_ntlmssp_server.c | 7 +++++++ > auth/ntlmssp/ntlmssp_client.c | 3 +++ > 2 files changed, 10 insertions(+) > >diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c >index 120c6e0..99cedd0 100644 >--- a/auth/ntlmssp/gensec_ntlmssp_server.c >+++ b/auth/ntlmssp/gensec_ntlmssp_server.c >@@ -133,6 +133,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) > > ntlmssp_state->force_old_spnego = false; > >+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) { >+ /* >+ * For testing Windows 2000 mode >+ */ >+ ntlmssp_state->force_old_spnego = true; >+ } >+ > ntlmssp_state->neg_flags = > NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION; > >diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c >index b423f20..5edd5f4 100644 >--- a/auth/ntlmssp/ntlmssp_client.c >+++ b/auth/ntlmssp/ntlmssp_client.c >@@ -784,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) > > ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx); > >+ ntlmssp_state->force_old_spnego = gensec_setting_bool(gensec_security->settings, >+ "ntlmssp_client", "force_old_spnego", false); >+ > ntlmssp_state->expected_state = NTLMSSP_INITIAL; > > ntlmssp_state->neg_flags = >-- >1.9.1 > > >From b369691e42d05864b98bc936f7074e05efdef4c5 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 26 Apr 2016 08:50:00 +0200 >Subject: [PATCH 23/27] selftest:Samba4: provide DC_* variables for fl2000dc > and fl2008r2dc > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > selftest/target/Samba4.pm | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index eddcfa6..0ac386c0 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -1391,6 +1391,13 @@ sub provision_fl2000dc($$) > warn("Unable to add wins configuration"); > return undef; > } >+ $ret->{DC_SERVER} = $ret->{SERVER}; >+ $ret->{DC_SERVER_IP} = $ret->{SERVER_IP}; >+ $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6}; >+ $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME}; >+ $ret->{DC_USERNAME} = $ret->{USERNAME}; >+ $ret->{DC_PASSWORD} = $ret->{PASSWORD}; >+ $ret->{DC_REALM} = $ret->{REALM}; > > return $ret; > } >@@ -1474,6 +1481,13 @@ sub provision_fl2008r2dc($$$) > warn("Unable to add wins configuration"); > return undef; > } >+ $ret->{DC_SERVER} = $ret->{SERVER}; >+ $ret->{DC_SERVER_IP} = $ret->{SERVER_IP}; >+ $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6}; >+ $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME}; >+ $ret->{DC_USERNAME} = $ret->{USERNAME}; >+ $ret->{DC_PASSWORD} = $ret->{PASSWORD}; >+ $ret->{DC_REALM} = $ret->{REALM}; > > return $ret; > } >-- >1.9.1 > > >From 214d0703996b15770d9cddab53f09fa98c198a26 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 26 Apr 2016 11:33:52 +0200 >Subject: [PATCH 24/27] s3:test_smbclient_auth.sh: this script reqiures 5 > arguments > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/script/tests/test_smbclient_auth.sh | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/script/tests/test_smbclient_auth.sh b/source3/script/tests/test_smbclient_auth.sh >index cc075b9..1681772 100755 >--- a/source3/script/tests/test_smbclient_auth.sh >+++ b/source3/script/tests/test_smbclient_auth.sh >@@ -2,7 +2,7 @@ > > # this runs the file serving tests that are expected to pass with samba3 against shares with various options > >-if [ $# -lt 4 ]; then >+if [ $# -lt 5 ]; then > cat <<EOF > Usage: test_smbclient_auth.sh SERVER SERVER_IP USERNAME PASSWORD SMBCLIENT <smbclient arguments> > EOF >-- >1.9.1 > > >From 979936b52d4fd01e8fdc60e90035c817a8160665 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 27 Apr 2016 01:00:14 +0200 >Subject: [PATCH 25/27] selftest:Samba4: let fl2000dc use Windows2000 > supported_enctypes > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > selftest/target/Samba.pm | 13 +++++++++++++ > selftest/target/Samba4.pm | 3 +++ > 2 files changed, 16 insertions(+) > >diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm >index 6ca1036..17a2bbe 100644 >--- a/selftest/target/Samba.pm >+++ b/selftest/target/Samba.pm >@@ -200,6 +200,19 @@ sub mk_krb5_conf($$) > forwardable = yes > allow_weak_crypto = yes > >+"; >+ >+ if (defined($ctx->{supported_enctypes})) { >+ print KRB5CONF " >+ default_etypes = $ctx->{supported_enctypes} >+ default_as_etypes = $ctx->{supported_enctypes} >+ default_tgs_enctypes = $ctx->{supported_enctypes} >+ default_tkt_enctypes = $ctx->{supported_enctypes} >+ permitted_enctypes = $ctx->{supported_enctypes} >+"; >+ } >+ >+ print KRB5CONF " > [realms] > $our_realms_stanza > "; >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index 0ac386c0..7bd4cad 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -386,6 +386,9 @@ sub provision_raw_prepare($$$$$$$$$$$) > $ctx->{password} = $password; > $ctx->{kdc_ipv4} = $kdc_ipv4; > $ctx->{kdc_ipv6} = $kdc_ipv6; >+ if ($functional_level eq "2000") { >+ $ctx->{supported_enctypes} = "arcfour-hmac-md5 des-cbc-md5 des-cbc-crc" >+ } > > # > # Set smbd log level here. >-- >1.9.1 > > >From 03c07593e6d658434e2b63014352b2308f2108a3 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 25 Apr 2016 16:02:22 +0200 >Subject: [PATCH 26/27] selftest:Samba4: let fl2000dc use Windows2000 style > SPNEGO/NTLMSSP > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > selftest/target/Samba4.pm | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index 7bd4cad..2d30dcf 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -1377,6 +1377,10 @@ sub provision_fl2000dc($$) > my ($self, $prefix) = @_; > > print "PROVISIONING DC WITH FOREST LEVEL 2000..."; >+ my $extra_conf_options = " >+ spnego:simulate_w2k=yes >+ ntlmssp_server:force_old_spnego=yes >+"; > my $ret = $self->provision($prefix, > "domain controller", > "dc5", >@@ -1386,7 +1390,7 @@ sub provision_fl2000dc($$) > "locDCpass5", > undef, > undef, >- "", >+ $extra_conf_options, > "", > undef); > >-- >1.9.1 > > >From b6988c3288b8d73b45018b59e534bd72c6a41a63 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 25 Apr 2016 16:12:47 +0200 >Subject: [PATCH 27/27] s3:selftest: add smbclient_ntlm tests > >We test all combinations of NT1 with and without spnego and SMB3 >for user, anonymous and guest authentication. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/script/tests/test_smbclient_ntlm.sh | 40 +++++++++++++++++++++++++++++ > source3/selftest/tests.py | 4 ++- > 2 files changed, 43 insertions(+), 1 deletion(-) > create mode 100755 source3/script/tests/test_smbclient_ntlm.sh > >diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh >new file mode 100755 >index 0000000..b8fc564 >--- /dev/null >+++ b/source3/script/tests/test_smbclient_ntlm.sh >@@ -0,0 +1,40 @@ >+#!/bin/sh >+ >+# this runs a smbclient based authentication tests >+ >+if [ $# -lt 5 ]; then >+cat <<EOF >+Usage: test_smbclient_ntlm.sh SERVER USERNAME PASSWORD MAPTOGUEST SMBCLIENT <smbclient arguments> >+EOF >+exit 1; >+fi >+ >+SERVER="$1" >+USERNAME="$2" >+PASSWORD="$3" >+MAPTOGUEST="$4" >+SMBCLIENT="$5" >+SMBCLIENT="$VALGRIND ${SMBCLIENT}" >+shift 5 >+ADDARGS="$*" >+ >+incdir=`dirname $0`/../../../testprogs/blackbox >+. $incdir/subunit.sh >+ >+testit "smbclient username.password.NT1OLD" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U$USERNAME%$PASSWORD -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no -c quit $ADDARGS >+testit "smbclient username.password.NT1NEW" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U$USERNAME%$PASSWORD -mNT1 -c quit $ADDARGS >+testit "smbclient username.password.SMB3" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U$USERNAME%$PASSWORD -mSMB3 -c quit $ADDARGS >+ >+testit "smbclient anonymous.nopassword.NT1OLD" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U% -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no -c quit $ADDARGS >+testit "smbclient anonymous.nopassword.NT1NEW" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U% -mNT1 -c quit $ADDARGS >+testit "smbclient anonymous.nopassword.SMB3" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U% -mSMB3 -c quit $ADDARGS >+if test x"${MAPTOGUEST}" = x"never" ; then >+ testit_expect_failure "smbclient anonymous.badpassword.NT1NEW.fail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mNT1 -c quit $ADDARGS >+ testit_expect_failure "smbclient anonymous.badpassword.SMB3.fail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mSMB3 -c quit $ADDARGS >+else >+ testit "smbclient anonymous.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mNT1 -c quit $ADDARGS >+ testit "smbclient anonymous.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mSMB3 -c quit $ADDARGS >+ >+ testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS >+ testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS >+fi >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 54b5136..2bd4110 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -129,8 +129,9 @@ for options in ["--option=clientusespnego=no", " --option=clientntlmv2auth=no -- > env = "nt4_dc" > plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options]) > >-for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc_ntvfs", "s4member"]: >+for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc_ntvfs", "s4member", "fl2000dc"]: > plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration]) >+ plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration]) > > for env in ["nt4_dc", "nt4_member", "ad_member"]: > plantestsuite("samba3.blackbox.smbclient_auth.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration]) >@@ -159,6 +160,7 @@ for env in ["maptoguest", "simpleserver"]: > > env = "maptoguest" > plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) bad username" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', 'notmy$USERNAME', '$PASSWORD', smbclient3, configuration + " --option=clientntlmv2auth=no --option=clientlanmanauth=yes"]) >+plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$USERNAME', '$PASSWORD', "baduser", smbclient3, configuration]) > > # plain > for env in ["nt4_dc"]: >-- >1.9.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 11849
: 12034 |
12035
|
12036
|
12037
|
12043
|
12044
|
12045