From 8dabdaaa48b66d2730ee0a2af850ad1fcb9661b8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 22 Apr 2016 16:18:24 +0200 Subject: [PATCH 01/30] s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit 8704958fb3b212b401a8e7d94fdd9c627adbde0d) --- source4/auth/gensec/gensec_tstream.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/source4/auth/gensec/gensec_tstream.c b/source4/auth/gensec/gensec_tstream.c index 92f4fa6..c828170 100644 --- a/source4/auth/gensec/gensec_tstream.c +++ b/source4/auth/gensec/gensec_tstream.c @@ -253,7 +253,11 @@ static int tstream_gensec_readv_next_vector(struct tstream_context *unix_stream, msg_len = RIVAL(state->wrapped.hdr, 0); - if (msg_len > 0x00FFFFFF) { + /* + * I got a Windows 2012R2 server responding with + * a message of 0x1b28a33. + */ + if (msg_len > 0x0FFFFFFF) { errno = EMSGSIZE; return -1; } -- 1.9.1 From e9f7cb9977e163871b31e118e447ef8600f7797d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 22 Apr 2016 16:31:55 +0200 Subject: [PATCH 02/30] s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit 795e796658e6da0149c9c00ece7cca4ccc457717) --- source3/libads/sasl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index b8d4527..10f63e8 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -328,7 +328,7 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, * arcfour-hmac-md5. */ ads->ldap.in.min_wrapped = MIN(ads->ldap.out.sig_size, 0x2C); - ads->ldap.in.max_wrapped = max_wrapped; + ads->ldap.in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED; status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security); if (!ADS_ERR_OK(status)) { DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n", @@ -986,7 +986,7 @@ static ADS_STATUS ads_sasl_gssapi_do_bind(ADS_STRUCT *ads, const gss_name_t serv ads->ldap.out.sig_size = max_msg_size - ads->ldap.out.max_unwrapped; ads->ldap.in.min_wrapped = 0x2C; /* taken from a capture with LDAP unbind */ - ads->ldap.in.max_wrapped = max_msg_size; + ads->ldap.in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED; status = ads_setup_sasl_wrapping(ads, &ads_sasl_gssapi_ops, context_handle); if (!ADS_ERR_OK(status)) { DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n", -- 1.9.1 From bdf51d074ff83233ed8ae105bc8a176fc7672e20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 28 Apr 2016 12:58:10 +0200 Subject: [PATCH 03/30] lib:krb5_wrap:krb5_samba: increase debug level for smb_krb5_get_default_realm_from_ccache(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 Guenther Signed-off-by: Guenther Deschner Reviewed-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 95b8b020626ba58a77a21e3da804bac2f0cf90b1) --- lib/krb5_wrap/krb5_samba.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index 22975c1..652e811 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -2388,12 +2388,12 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx) "Trying to read krb5 cache: %s\n", krb5_cc_default_name(ctx))); if (krb5_cc_default(ctx, &cc)) { - DEBUG(0,("kerberos_get_default_realm_from_ccache: " + DEBUG(5,("kerberos_get_default_realm_from_ccache: " "failed to read default cache\n")); goto out; } if (krb5_cc_get_principal(ctx, cc, &princ)) { - DEBUG(0,("kerberos_get_default_realm_from_ccache: " + DEBUG(5,("kerberos_get_default_realm_from_ccache: " "failed to get default principal\n")); goto out; } -- 1.9.1 From d30e56e29ff48b28f3a7ab045c139003aef609a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 28 Apr 2016 12:58:33 +0200 Subject: [PATCH 04/30] s3:librpc:crypto:gse: increase debug level for gse_init_client(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 Guenther Signed-off-by: Guenther Deschner Reviewed-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit b6595037f3fcaafb957d9c08edfb89c72cded987) --- source3/librpc/crypto/gse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index 6ea2c4a..f1ebe19 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -239,7 +239,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx, GSS_C_NT_USER_NAME, &gse_ctx->server_name); if (gss_maj) { - DEBUG(0, ("gss_import_name failed for %s, with [%s]\n", + DEBUG(5, ("gss_import_name failed for %s, with [%s]\n", (char *)name_buffer.value, gse_errstr(gse_ctx, gss_maj, gss_min))); status = NT_STATUS_INTERNAL_ERROR; -- 1.9.1 From 3f6a06ea7e5a7b224a7b30a6de7244da4e5c593b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 28 Apr 2016 12:26:16 +0200 Subject: [PATCH 05/30] auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit 9930bd17f2d39e4be1e125f83f7de489a94ea1d1) --- auth/gensec/spnego.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 1d4b172..5126952 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -661,7 +661,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec talloc_free(spnego_state->sub_sec_security); spnego_state->sub_sec_security = NULL; - DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status))); + DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status))); return nt_status; } -- 1.9.1 From e85aa55fb0faf333e552342358b9edad8aa9553a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 23 Apr 2016 05:17:25 +0200 Subject: [PATCH 06/30] auth/spnego: handle broken mechListMIC response from Windows 2000 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11870 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit 032c2733dea834e2c95178cdd0deb73e7bb13621) --- auth/gensec/spnego.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 5126952..33a4b46 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -1078,6 +1078,24 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } if (spnego.negTokenTarg.mechListMIC.length > 0) { + DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC; + const DATA_BLOB *r = &spnego.negTokenTarg.responseToken; + + /* + * Windows 2000 has a bug, it repeats the + * responseToken in the mechListMIC field. + */ + if (m->length == r->length) { + int cmp; + + cmp = memcmp(m->data, r->data, m->length); + if (cmp == 0) { + data_blob_free(m); + } + } + } + + if (spnego.negTokenTarg.mechListMIC.length > 0) { if (spnego_state->no_response_expected) { spnego_state->needs_mic_check = true; } -- 1.9.1 From 8af247c2b71eb88ec7bc6164b2d6d2c9725902aa Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 20 Apr 2016 18:44:21 +0200 Subject: [PATCH 07/30] auth/ntlmssp: don't require any flags in the ccache_resume code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ntlmssp_client_challenge() already checks for required flags before asking winbindd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit 5041adb6657596399049a33e6a739a040b4df0db) --- auth/ntlmssp/ntlmssp_client.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index b419615..8b367fc 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security, if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) { gensec_security->want_features |= GENSEC_FEATURE_SIGN; - - ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; } if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { gensec_security->want_features |= GENSEC_FEATURE_SEAL; - - ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; - ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; } - ntlmssp_state->neg_flags |= ntlmssp_state->required_flags; ntlmssp_state->conf_flags = ntlmssp_state->neg_flags; + ntlmssp_state->required_flags = 0; if (DEBUGLEVEL >= 10) { struct NEGOTIATE_MESSAGE *negotiate = talloc( -- 1.9.1 From 179484150dc95bdf605bf918d65f3735d5603f27 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 20 Apr 2016 18:44:21 +0200 Subject: [PATCH 08/30] auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Enforcement of SMB signing is done at the SMB layer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit d97b347d041f9b5c0aa71f35526cbefd56f3500b) --- auth/ntlmssp/ntlmssp_client.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index 8b367fc..b423f20 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -843,8 +843,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) * Without this, Windows will not create the master key * that it thinks is only used for NTLMSSP signing and * sealing. (It is actually pulled out and used directly) + * + * We don't require this here as some servers (e.g. NetAPP) + * doesn't support this. */ - ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; } if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; -- 1.9.1 From d59fb892ccefca836013ff45cc6d638cdc457cc1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 19 Apr 2016 07:31:50 +0200 Subject: [PATCH 09/30] s3:libsmb: use password = NULL for anonymous connections MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11858 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit 53be47410236ef7c90fe895f49f300e3fe47a8bf) --- source3/libsmb/cliconnect.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 2c351dd..b8a8c7a 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1325,6 +1325,17 @@ static struct tevent_req *cli_session_setup_gensec_send( talloc_set_destructor( state, cli_session_setup_gensec_state_destructor); + if (user == NULL || strlen(user) == 0) { + if (pass != NULL && strlen(pass) == 0) { + /* + * some callers pass "" as no password + * + * gensec only handles NULL as no password. + */ + pass = NULL; + } + } + status = auth_generic_client_prepare(state, &state->auth_generic); if (tevent_req_nterror(req, status)) { return tevent_req_post(req, ev); -- 1.9.1 From 521fc959c29344fb662a2edef5508c88cef7b37c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 20 Apr 2016 20:09:53 +0200 Subject: [PATCH 10/30] libcli/smb: fix NULL pointer derreference in smbXcli_session_is_authenticated(). Guenther BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 Signed-off-by: Guenther Deschner Reviewed-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 8e016ffeb01167bb8dec66cf9e4bc8605461c15a) --- libcli/smb/smbXcli_base.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 14b5992..1d41d4b 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -5306,6 +5306,10 @@ bool smbXcli_session_is_authenticated(struct smbXcli_session *session) { const DATA_BLOB *application_key; + if (session == NULL) { + return false; + } + if (session->conn == NULL) { return false; } -- 1.9.1 From 71b6e641c5085c7646651cd8f51a6a8d3824a9cc Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 18 Apr 2016 17:33:11 +0200 Subject: [PATCH 11/30] libcli/smb: add smb1cli_session_set_action() helper function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit e6f9e176f2bb0e3e7451ac58e84ff55328219fcd) --- libcli/smb/smbXcli_base.c | 7 +++++++ libcli/smb/smbXcli_base.h | 2 ++ 2 files changed, 9 insertions(+) diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 1d41d4b..f9f3f87 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -167,6 +167,7 @@ struct smbXcli_session { struct { uint16_t session_id; + uint16_t action; DATA_BLOB application_key; bool protected_key; } smb1; @@ -5377,6 +5378,12 @@ void smb1cli_session_set_id(struct smbXcli_session *session, session->smb1.session_id = session_id; } +void smb1cli_session_set_action(struct smbXcli_session *session, + uint16_t action) +{ + session->smb1.action = action; +} + NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session, const DATA_BLOB _session_key) { diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h index e4cfb10..6b6d72d 100644 --- a/libcli/smb/smbXcli_base.h +++ b/libcli/smb/smbXcli_base.h @@ -398,6 +398,8 @@ void smbXcli_session_set_disconnect_expired(struct smbXcli_session *session); uint16_t smb1cli_session_current_id(struct smbXcli_session* session); void smb1cli_session_set_id(struct smbXcli_session* session, uint16_t session_id); +void smb1cli_session_set_action(struct smbXcli_session *session, + uint16_t action); NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session, const DATA_BLOB _session_key); NTSTATUS smb1cli_session_protect_session_key(struct smbXcli_session *session); -- 1.9.1 From 05b66b6e25c5ffa2c74a8ab98da8baab6cd0659c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 18 Apr 2016 17:34:21 +0200 Subject: [PATCH 12/30] libcli/smb: add SMB1 session setup action flags MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit cceaa61cf064926baca6db4b303d34ea90d40d52) --- libcli/smb/smb_constants.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h index 04c9001..48b470e 100644 --- a/libcli/smb/smb_constants.h +++ b/libcli/smb/smb_constants.h @@ -278,6 +278,12 @@ enum smb_signing_setting { CAP_LARGE_WRITEX | \ 0) +/* + * The action flags in the SMB session setup response + */ +#define SMB_SETUP_GUEST 0x0001 +#define SMB_SETUP_USE_LANMAN_KEY 0x0002 + /* Client-side offline caching policy types */ enum csc_policy { CSC_POLICY_MANUAL=0, -- 1.9.1 From 1cd40255a6987854251b70ee1c813c39d91622d4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 18 Apr 2016 17:38:46 +0200 Subject: [PATCH 13/30] libcli/smb: add smbXcli_session_is_guest() helper function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit 8f4a4bec089b46bbeb0e0f37bb682acb88702bf2) --- libcli/smb/smbXcli_base.c | 24 ++++++++++++++++++++++++ libcli/smb/smbXcli_base.h | 1 + 2 files changed, 25 insertions(+) diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index f9f3f87..419a2c0 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -5303,6 +5303,30 @@ struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx, return session; } +bool smbXcli_session_is_guest(struct smbXcli_session *session) +{ + if (session == NULL) { + return false; + } + + if (session->conn == NULL) { + return false; + } + + if (session->conn->protocol >= PROTOCOL_SMB2_02) { + if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) { + return true; + } + return false; + } + + if (session->smb1.action & SMB_SETUP_GUEST) { + return true; + } + + return false; +} + bool smbXcli_session_is_authenticated(struct smbXcli_session *session) { const DATA_BLOB *application_key; diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h index 6b6d72d..8b9851b 100644 --- a/libcli/smb/smbXcli_base.h +++ b/libcli/smb/smbXcli_base.h @@ -390,6 +390,7 @@ struct smbXcli_session *smbXcli_session_create(TALLOC_CTX *mem_ctx, struct smbXcli_conn *conn); struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx, struct smbXcli_session *src); +bool smbXcli_session_is_guest(struct smbXcli_session *session); bool smbXcli_session_is_authenticated(struct smbXcli_session *session); NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session, TALLOC_CTX *mem_ctx, -- 1.9.1 From 3ddeea8469a3dfee590ff74c04a8fb6b9819a7c5 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 19 Apr 2016 07:19:19 +0200 Subject: [PATCH 14/30] s3:libsmb: record the session setup action flags MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit 02c902103521e5a2b1d221db83e6c59d0ce31099) --- source3/libsmb/cliconnect.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index b8a8c7a..48f499c 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -242,6 +242,7 @@ static void cli_session_setup_lanman2_done(struct tevent_req *subreq) p = bytes; cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID)); + smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0)); status = smb_bytes_talloc_string(cli, inhdr, @@ -445,6 +446,7 @@ static void cli_session_setup_guest_done(struct tevent_req *subreq) p = bytes; cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID)); + smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0)); status = smb_bytes_talloc_string(cli, inhdr, @@ -604,6 +606,7 @@ static void cli_session_setup_plain_done(struct tevent_req *subreq) p = bytes; cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID)); + smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0)); status = smb_bytes_talloc_string(cli, inhdr, @@ -915,6 +918,7 @@ static void cli_session_setup_nt1_done(struct tevent_req *subreq) p = bytes; cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID)); + smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0)); status = smb_bytes_talloc_string(cli, inhdr, @@ -1160,6 +1164,7 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq) state->inbuf = in; inhdr = in + NBT_HDR_SIZE; cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID)); + smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0)); blob_length = SVAL(vwv+3, 0); if (blob_length > num_bytes) { -- 1.9.1 From 79e37e496c06a1404c3c69aa3797bfcef2cb9a57 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 19 Apr 2016 07:20:28 +0200 Subject: [PATCH 15/30] s3:libsmb: don't finish the gensec handshake for guest logins MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit fa5799207e55ee8e329f36f784d027845eaf0e34) --- source3/libsmb/cliconnect.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 48f499c..b984087 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1572,6 +1572,27 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq) } if (NT_STATUS_IS_OK(status)) { + struct smbXcli_session *session = NULL; + bool is_guest = false; + + if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) { + session = state->cli->smb2.session; + } else { + session = state->cli->smb1.session; + } + + is_guest = smbXcli_session_is_guest(session); + if (is_guest) { + /* + * We can't finish the gensec handshake, we don't + * have a negotiated session key. + * + * So just pretend we are completely done. + */ + state->blob_in = data_blob_null; + state->local_ready = true; + } + state->remote_ready = true; } -- 1.9.1 From 0e2fbd85d55aeedee8f0036010fa35ac69ffa610 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 19 Apr 2016 07:33:03 +0200 Subject: [PATCH 16/30] s3:libsmb: use anonymous authentication via spnego if possible MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This makes the authentication consistent between SMB1 with CAP_EXTENDED_SECURITY (introduced in Windows 2000) and SNB2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit e72ad193a53e20b769f798d02c0610f91859bd38) --- source3/libsmb/cliconnect.c | 55 ++++++++++++++++++++++++--------------------- 1 file changed, 29 insertions(+), 26 deletions(-) diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index b984087..ea92c8f 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1643,6 +1643,19 @@ static void cli_session_setup_gensec_ready(struct tevent_req *req) } } + if (state->is_anonymous) { + /* + * Windows server does not set the + * SMB2_SESSION_FLAG_IS_NULL flag. + * + * This fix makes sure we do not try + * to verify a signature on the final + * session setup response. + */ + tevent_req_done(req); + return; + } + status = gensec_session_key(state->auth_generic->gensec_security, state, &state->session_key); if (tevent_req_nterror(req, status)) { @@ -1652,20 +1665,6 @@ static void cli_session_setup_gensec_ready(struct tevent_req *req) if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) { struct smbXcli_session *session = state->cli->smb2.session; - if (state->is_anonymous) { - /* - * Windows server does not set the - * SMB2_SESSION_FLAG_IS_GUEST nor - * SMB2_SESSION_FLAG_IS_NULL flag. - * - * This fix makes sure we do not try - * to verify a signature on the final - * session setup response. - */ - tevent_req_done(req); - return; - } - status = smb2cli_session_set_session_key(session, state->session_key, state->recv_iov); @@ -2095,6 +2094,21 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx, return req; } + /* + * if the server supports extended security then use SPNEGO + * even for anonymous connections. + */ + if (smb1cli_conn_capabilities(cli->conn) & CAP_EXTENDED_SECURITY) { + subreq = cli_session_setup_spnego_send( + state, ev, cli, user, pass, workgroup); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, cli_session_setup_done_spnego, + req); + return req; + } + /* if no user is supplied then we have to do an anonymous connection. passwords are ignored */ @@ -2143,18 +2157,7 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx, return req; } - /* if the server supports extended security then use SPNEGO */ - - if (smb1cli_conn_capabilities(cli->conn) & CAP_EXTENDED_SECURITY) { - subreq = cli_session_setup_spnego_send( - state, ev, cli, user, pass, workgroup); - if (tevent_req_nomem(subreq, req)) { - return tevent_req_post(req, ev); - } - tevent_req_set_callback(subreq, cli_session_setup_done_spnego, - req); - return req; - } else { + { /* otherwise do a NT1 style session setup */ if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) { /* -- 1.9.1 From 3e4735c1657a23a6b46c0fea27cc1ae153eb339e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 22 Apr 2016 10:04:38 +0200 Subject: [PATCH 17/30] auth/spnego: only try to verify the mechListMic if signing was negotiated. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit 65462958522baee6eedcedd4193cfcc8cf0f510e) --- auth/gensec/spnego.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 33a4b46..1b23427 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -885,6 +885,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA case SPNEGO_SERVER_TARG: { NTSTATUS nt_status; + bool have_sign = true; bool new_spnego = false; if (!in.length) { @@ -947,18 +948,20 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA goto server_response; } + have_sign = gensec_have_feature(spnego_state->sub_sec_security, + GENSEC_FEATURE_SIGN); new_spnego = gensec_have_feature(spnego_state->sub_sec_security, GENSEC_FEATURE_NEW_SPNEGO); if (spnego.negTokenTarg.mechListMIC.length > 0) { new_spnego = true; } - if (new_spnego) { + if (have_sign && new_spnego) { spnego_state->needs_mic_check = true; spnego_state->needs_mic_sign = true; } - if (spnego.negTokenTarg.mechListMIC.length > 0) { + if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) { nt_status = gensec_check_packet(spnego_state->sub_sec_security, spnego_state->mech_types.data, spnego_state->mech_types.length, @@ -1142,8 +1145,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA if (spnego_state->no_response_expected && !spnego_state->done_mic_check) { + bool have_sign = true; bool new_spnego = false; + have_sign = gensec_have_feature(spnego_state->sub_sec_security, + GENSEC_FEATURE_SIGN); new_spnego = gensec_have_feature(spnego_state->sub_sec_security, GENSEC_FEATURE_NEW_SPNEGO); @@ -1170,16 +1176,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } if (spnego_state->mic_requested) { - bool sign; - - sign = gensec_have_feature(spnego_state->sub_sec_security, - GENSEC_FEATURE_SIGN); - if (sign) { + if (have_sign) { new_spnego = true; } } - if (new_spnego) { + if (have_sign && new_spnego) { spnego_state->needs_mic_check = true; spnego_state->needs_mic_sign = true; } -- 1.9.1 From 81e6d364e7ac40fa142a13c2b95153cded3ee7df Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 27 Apr 2016 01:44:56 +0200 Subject: [PATCH 18/30] s4:auth_anonymous: anonymous authentication doesn't allow a password MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit d247dceaaab24b568425f2360e40f5e91be452cc) --- source4/auth/ntlm/auth_anonymous.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/source4/auth/ntlm/auth_anonymous.c b/source4/auth/ntlm/auth_anonymous.c index 28cbfe8..ab1aac2 100644 --- a/source4/auth/ntlm/auth_anonymous.c +++ b/source4/auth/ntlm/auth_anonymous.c @@ -41,6 +41,36 @@ static NTSTATUS anonymous_want_check(struct auth_method_context *ctx, return NT_STATUS_NOT_IMPLEMENTED; } + switch (user_info->password_state) { + case AUTH_PASSWORD_PLAIN: + if (user_info->password.plaintext != NULL && + strlen(user_info->password.plaintext) > 0) + { + return NT_STATUS_NOT_IMPLEMENTED; + } + break; + case AUTH_PASSWORD_HASH: + if (user_info->password.hash.lanman != NULL) { + return NT_STATUS_NOT_IMPLEMENTED; + } + if (user_info->password.hash.nt != NULL) { + return NT_STATUS_NOT_IMPLEMENTED; + } + break; + case AUTH_PASSWORD_RESPONSE: + if (user_info->password.response.lanman.length == 1) { + if (user_info->password.response.lanman.data[0] != '\0') { + return NT_STATUS_NOT_IMPLEMENTED; + } + } else if (user_info->password.response.lanman.length > 1) { + return NT_STATUS_NOT_IMPLEMENTED; + } + if (user_info->password.response.nt.length > 0) { + return NT_STATUS_NOT_IMPLEMENTED; + } + break; + } + return NT_STATUS_OK; } -- 1.9.1 From 53e8b97000c6695c93d894f1a65b8c77474fc69f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 27 Apr 2016 01:48:32 +0200 Subject: [PATCH 19/30] s3:auth_builtin: anonymous authentication doesn't allow a password MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit ead483b0c0ec746c0869162024c97f2e08df7f4b) --- source3/auth/auth_builtin.c | 47 ++++++++++++++++++++++++++++++++++++++------- 1 file changed, 40 insertions(+), 7 deletions(-) diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c index dce58bf..7480799 100644 --- a/source3/auth/auth_builtin.c +++ b/source3/auth/auth_builtin.c @@ -38,17 +38,50 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, const struct auth_usersupplied_info *user_info, struct auth_serversupplied_info **server_info) { - /* mark this as 'not for me' */ - NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; - DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name)); - if (!(user_info->mapped.account_name - && *user_info->mapped.account_name)) { - nt_status = make_server_info_guest(NULL, server_info); + if (user_info->mapped.account_name && *user_info->mapped.account_name) { + /* mark this as 'not for me' */ + return NT_STATUS_NOT_IMPLEMENTED; } - return nt_status; + switch (user_info->password_state) { + case AUTH_PASSWORD_PLAIN: + if (user_info->password.plaintext != NULL && + strlen(user_info->password.plaintext) > 0) + { + /* mark this as 'not for me' */ + return NT_STATUS_NOT_IMPLEMENTED; + } + break; + case AUTH_PASSWORD_HASH: + if (user_info->password.hash.lanman != NULL) { + /* mark this as 'not for me' */ + return NT_STATUS_NOT_IMPLEMENTED; + } + if (user_info->password.hash.nt != NULL) { + /* mark this as 'not for me' */ + return NT_STATUS_NOT_IMPLEMENTED; + } + break; + case AUTH_PASSWORD_RESPONSE: + if (user_info->password.response.lanman.length == 1) { + if (user_info->password.response.lanman.data[0] != '\0') { + /* mark this as 'not for me' */ + return NT_STATUS_NOT_IMPLEMENTED; + } + } else if (user_info->password.response.lanman.length > 1) { + /* mark this as 'not for me' */ + return NT_STATUS_NOT_IMPLEMENTED; + } + if (user_info->password.response.nt.length > 0) { + /* mark this as 'not for me' */ + return NT_STATUS_NOT_IMPLEMENTED; + } + break; + } + + return make_server_info_guest(NULL, server_info); } /* Guest modules initialisation */ -- 1.9.1 From b61df92a152473321c0df6c21bc1133867754b1e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 20 Apr 2016 16:29:42 +0200 Subject: [PATCH 20/30] libcli/security: implement SECURITY_GUEST MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SECURITY_GUEST is not exactly the same as SECURITY_ANONYMOUS. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit 837e6176329330893d5a1e4ce4ac67dbac758e56) --- libcli/security/security_token.c | 5 +++++ libcli/security/security_token.h | 2 ++ libcli/security/session.c | 4 ++++ libcli/security/session.h | 1 + 4 files changed, 12 insertions(+) diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c index 6812d42..2e5a87b 100644 --- a/libcli/security/security_token.c +++ b/libcli/security/security_token.c @@ -130,6 +130,11 @@ bool security_token_has_sid_string(const struct security_token *token, const cha return ret; } +bool security_token_has_builtin_guests(const struct security_token *token) +{ + return security_token_has_sid(token, &global_sid_Builtin_Guests); +} + bool security_token_has_builtin_administrators(const struct security_token *token) { return security_token_has_sid(token, &global_sid_Builtin_Administrators); diff --git a/libcli/security/security_token.h b/libcli/security/security_token.h index b8ca990..5c5b30b 100644 --- a/libcli/security/security_token.h +++ b/libcli/security/security_token.h @@ -51,6 +51,8 @@ bool security_token_has_sid(const struct security_token *token, const struct dom bool security_token_has_sid_string(const struct security_token *token, const char *sid_string); +bool security_token_has_builtin_guests(const struct security_token *token); + bool security_token_has_builtin_administrators(const struct security_token *token); bool security_token_has_nt_authenticated_users(const struct security_token *token); diff --git a/libcli/security/session.c b/libcli/security/session.c index 0c32556..0fbb87d 100644 --- a/libcli/security/session.c +++ b/libcli/security/session.c @@ -38,6 +38,10 @@ enum security_user_level security_session_user_level(struct auth_session_info *s return SECURITY_ANONYMOUS; } + if (security_token_has_builtin_guests(session_info->security_token)) { + return SECURITY_GUEST; + } + if (security_token_has_builtin_administrators(session_info->security_token)) { return SECURITY_ADMINISTRATOR; } diff --git a/libcli/security/session.h b/libcli/security/session.h index ee9187d..31e950e 100644 --- a/libcli/security/session.h +++ b/libcli/security/session.h @@ -24,6 +24,7 @@ enum security_user_level { SECURITY_ANONYMOUS = 0, + SECURITY_GUEST = 1, SECURITY_USER = 10, SECURITY_RO_DOMAIN_CONTROLLER = 20, SECURITY_DOMAIN_CONTROLLER = 30, -- 1.9.1 From 1e816ce7110ea2dacc82e098f6033776bfb2059c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 18 Apr 2016 17:36:56 +0200 Subject: [PATCH 21/30] s3:smbd: make use SMB_SETUP_GUEST constant MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit 25ce97892ad3ce5028e4dbbbdd844ef6619ac396) --- source3/smbd/sesssetup.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 25b2ed6..bcf63c7 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -286,7 +286,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) } if (security_session_user_level(session_info, NULL) < SECURITY_USER) { - action = 1; + action |= SMB_SETUP_GUEST; } if (session_info->session_key.length > 0) { @@ -412,7 +412,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) } if (security_session_user_level(session_info, NULL) < SECURITY_USER) { - action = 1; + action |= SMB_SETUP_GUEST; } /* @@ -941,7 +941,7 @@ void reply_sesssetup_and_X(struct smb_request *req) } if (security_session_user_level(session_info, NULL) < SECURITY_USER) { - action = 1; + action |= SMB_SETUP_GUEST; } /* register the name and uid as being validated, so further connections -- 1.9.1 From b1f71243753894bb511495186bf03e49b39f98eb Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 20 Apr 2016 16:34:28 +0200 Subject: [PATCH 22/30] s3:smbd: only mark real guest sessions with the GUEST flag MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Real anonymous sessions don't get it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (similar to commit 79a71545bfc87525c6ba6c8fe9fa7d8a9da33441) --- source3/smbd/sesssetup.c | 6 +++--- source3/smbd/smb2_sesssetup.c | 7 ++++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index bcf63c7..7774b66 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -285,7 +285,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) return; } - if (security_session_user_level(session_info, NULL) < SECURITY_USER) { + if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) { action |= SMB_SETUP_GUEST; } @@ -411,7 +411,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) return; } - if (security_session_user_level(session_info, NULL) < SECURITY_USER) { + if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) { action |= SMB_SETUP_GUEST; } @@ -940,7 +940,7 @@ void reply_sesssetup_and_X(struct smb_request *req) /* perhaps grab OS version here?? */ } - if (security_session_user_level(session_info, NULL) < SECURITY_USER) { + if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) { action |= SMB_SETUP_GUEST; } diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index fe64df0..9d3fa31 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -274,11 +274,12 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session, } if (security_session_user_level(session_info, NULL) < SECURITY_USER) { - /* we map anonymous to guest internally */ - *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST; - *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL; + if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) { + *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST; + } /* force no signing */ x->global->signing_required = false; + /* we map anonymous to guest internally */ guest = true; } -- 1.9.1 From bb0bb18e903e24ba067df427e352f10296d5cea1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 20 Apr 2016 18:27:34 +0200 Subject: [PATCH 23/30] auth/ntlmssp: do map to guest checking after the authentication MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit d667520568996471b55007a42b503edbabb1eee0) --- auth/ntlmssp/gensec_ntlmssp_server.c | 16 +-------------- auth/ntlmssp/ntlmssp_server.c | 40 ++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 15 deletions(-) diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c index 6147b14..f3c26c7 100644 --- a/auth/ntlmssp/gensec_ntlmssp_server.c +++ b/auth/ntlmssp/gensec_ntlmssp_server.c @@ -130,21 +130,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) ntlmssp_state->allow_lm_key = true; } - if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) { - /* - * map to guest is not secure anyway, so - * try to make it work and don't try to - * negotiate new_spnego and MIC checking - */ - ntlmssp_state->force_old_spnego = true; - } - - if (role == ROLE_ACTIVE_DIRECTORY_DC) { - /* - * map to guest is not supported on an AD DC. - */ - ntlmssp_state->force_old_spnego = false; - } + ntlmssp_state->force_old_spnego = false; ntlmssp_state->neg_flags = NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION; diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c index 17d5ade..ddee875 100644 --- a/auth/ntlmssp/ntlmssp_server.c +++ b/auth/ntlmssp/ntlmssp_server.c @@ -31,6 +31,9 @@ #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_internal.h" #include "auth/common_auth.h" +#include "param/param.h" +#include "param/loadparm.h" +#include "libcli/security/session.h" /** * Determine correct target name flags for reply, given server role @@ -700,6 +703,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; struct auth4_context *auth_context = gensec_security->auth_context; NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; + struct auth_session_info *session_info = NULL; struct auth_usersupplied_info *user_info; user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info); @@ -736,6 +740,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec NT_STATUS_NOT_OK_RETURN(nt_status); + if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST + && auth_context->generate_session_info != NULL) + { + NTSTATUS tmp_status; + + /* + * We need to check if the auth is anonymous or mapped to guest + */ + tmp_status = auth_context->generate_session_info(auth_context, mem_ctx, + gensec_ntlmssp->server_returned_info, + gensec_ntlmssp->ntlmssp_state->user, + AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, + &session_info); + if (!NT_STATUS_IS_OK(tmp_status)) { + /* + * We don't care about failures, + * the worst result is that we try MIC checking + * for a map to guest authentication. + */ + TALLOC_FREE(session_info); + } + } + + if (session_info != NULL) { + if (security_session_user_level(session_info, NULL) < SECURITY_USER) { + /* + * Anonymous and GUEST are not secure anyway. + * avoid new_spnego and MIC checking. + */ + ntlmssp_state->new_spnego = false; + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL; + } + TALLOC_FREE(session_info); + } + talloc_steal(mem_ctx, user_session_key->data); talloc_steal(mem_ctx, lm_session_key->data); -- 1.9.1 From 725e85c5c136e5a9e8e0f58ddef96c59c2368cea Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 25 Apr 2016 14:45:55 +0200 Subject: [PATCH 24/30] auth/spnego: add spnego:simulate_w2k option for testing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit db9c01a51975a0a3ec2564357617958c2f466091) --- auth/gensec/spnego.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 1b23427..6a82b5f 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -59,6 +59,8 @@ struct spnego_state { bool needs_mic_check; bool done_mic_check; + bool simulate_w2k; + /* * The following is used to implement * the update token fragmentation @@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi spnego_state->out_max_length = gensec_max_update_size(gensec_security); spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED; + spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, + "spnego", "simulate_w2k", false); + gensec_security->private_data = spnego_state; return NT_STATUS_OK; } @@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi spnego_state->out_max_length = gensec_max_update_size(gensec_security); spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED; + spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, + "spnego", "simulate_w2k", false); + gensec_security->private_data = spnego_state; return NT_STATUS_OK; } @@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA spnego.negTokenInit.mechToken, &unwrapped_out); + if (spnego_state->simulate_w2k) { + /* + * Windows 2000 returns the unwrapped token + * also in the mech_list_mic field. + * + * In order to verify our client code, + * we need a way to have a server with this + * broken behaviour + */ + mech_list_mic = unwrapped_out; + } + nt_status = gensec_spnego_server_negTokenTarg(spnego_state, out_mem_ctx, nt_status, unwrapped_out, - null_data_blob, + mech_list_mic, out); spnego_free_data(&spnego); @@ -950,6 +970,9 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA have_sign = gensec_have_feature(spnego_state->sub_sec_security, GENSEC_FEATURE_SIGN); + if (spnego_state->simulate_w2k) { + have_sign = false; + } new_spnego = gensec_have_feature(spnego_state->sub_sec_security, GENSEC_FEATURE_NEW_SPNEGO); if (spnego.negTokenTarg.mechListMIC.length > 0) { @@ -1150,6 +1173,9 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA have_sign = gensec_have_feature(spnego_state->sub_sec_security, GENSEC_FEATURE_SIGN); + if (spnego_state->simulate_w2k) { + have_sign = false; + } new_spnego = gensec_have_feature(spnego_state->sub_sec_security, GENSEC_FEATURE_NEW_SPNEGO); -- 1.9.1 From 2391d2180d8349c780147decadb08a83cf5cf038 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 25 Apr 2016 15:58:27 +0200 Subject: [PATCH 25/30] auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit 7a2cb2c97611171613fc677a534277839348c56f) --- auth/ntlmssp/gensec_ntlmssp_server.c | 7 +++++++ auth/ntlmssp/ntlmssp_client.c | 3 +++ 2 files changed, 10 insertions(+) diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c index f3c26c7..08a8c8f 100644 --- a/auth/ntlmssp/gensec_ntlmssp_server.c +++ b/auth/ntlmssp/gensec_ntlmssp_server.c @@ -132,6 +132,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) ntlmssp_state->force_old_spnego = false; + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) { + /* + * For testing Windows 2000 mode + */ + ntlmssp_state->force_old_spnego = true; + } + ntlmssp_state->neg_flags = NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION; diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index b423f20..5edd5f4 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -784,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx); + ntlmssp_state->force_old_spnego = gensec_setting_bool(gensec_security->settings, + "ntlmssp_client", "force_old_spnego", false); + ntlmssp_state->expected_state = NTLMSSP_INITIAL; ntlmssp_state->neg_flags = -- 1.9.1 From 29f733ba7ab468272b48c87ba48080e2b83f7ed9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Apr 2016 08:50:00 +0200 Subject: [PATCH 26/30] selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit b8055cb42cadf48367867213a35635f3391c9b8d) --- selftest/target/Samba4.pm | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index f8db618..19930de 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1376,6 +1376,13 @@ sub provision_fl2000dc($$) warn("Unable to add wins configuration"); return undef; } + $ret->{DC_SERVER} = $ret->{SERVER}; + $ret->{DC_SERVER_IP} = $ret->{SERVER_IP}; + $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6}; + $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME}; + $ret->{DC_USERNAME} = $ret->{USERNAME}; + $ret->{DC_PASSWORD} = $ret->{PASSWORD}; + $ret->{DC_REALM} = $ret->{REALM}; return $ret; } @@ -1459,6 +1466,13 @@ sub provision_fl2008r2dc($$$) warn("Unable to add wins configuration"); return undef; } + $ret->{DC_SERVER} = $ret->{SERVER}; + $ret->{DC_SERVER_IP} = $ret->{SERVER_IP}; + $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6}; + $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME}; + $ret->{DC_USERNAME} = $ret->{USERNAME}; + $ret->{DC_PASSWORD} = $ret->{PASSWORD}; + $ret->{DC_REALM} = $ret->{REALM}; return $ret; } -- 1.9.1 From 984acc513a81abe17a3cb697310997c04867e9c5 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Apr 2016 11:33:52 +0200 Subject: [PATCH 27/30] s3:test_smbclient_auth.sh: this script reqiures 5 arguments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit 70910334caa176bf98fece7d638ed599979dc173) --- source3/script/tests/test_smbclient_auth.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/script/tests/test_smbclient_auth.sh b/source3/script/tests/test_smbclient_auth.sh index cc075b9..1681772 100755 --- a/source3/script/tests/test_smbclient_auth.sh +++ b/source3/script/tests/test_smbclient_auth.sh @@ -2,7 +2,7 @@ # this runs the file serving tests that are expected to pass with samba3 against shares with various options -if [ $# -lt 4 ]; then +if [ $# -lt 5 ]; then cat < EOF -- 1.9.1 From 305b7841acf22d30d172dd75124409b3fb5b1625 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 27 Apr 2016 01:00:14 +0200 Subject: [PATCH 28/30] selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit 587b5db7979c1ca1055f5bfd81ab79606cd3c2dd) --- selftest/target/Samba.pm | 13 +++++++++++++ selftest/target/Samba4.pm | 3 +++ 2 files changed, 16 insertions(+) diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index e87acd3..1921928 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -200,6 +200,19 @@ sub mk_krb5_conf($$) forwardable = yes allow_weak_crypto = yes +"; + + if (defined($ctx->{supported_enctypes})) { + print KRB5CONF " + default_etypes = $ctx->{supported_enctypes} + default_as_etypes = $ctx->{supported_enctypes} + default_tgs_enctypes = $ctx->{supported_enctypes} + default_tkt_enctypes = $ctx->{supported_enctypes} + permitted_enctypes = $ctx->{supported_enctypes} +"; + } + + print KRB5CONF " [realms] $our_realms_stanza "; diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 19930de..31889ef 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -371,6 +371,9 @@ sub provision_raw_prepare($$$$$$$$$$$) $ctx->{password} = $password; $ctx->{kdc_ipv4} = $kdc_ipv4; $ctx->{kdc_ipv6} = $kdc_ipv6; + if ($functional_level eq "2000") { + $ctx->{supported_enctypes} = "arcfour-hmac-md5 des-cbc-md5 des-cbc-crc" + } # # Set smbd log level here. -- 1.9.1 From f0c4a0a262a7999d03b543c44e6ca19efe415043 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 25 Apr 2016 16:02:22 +0200 Subject: [PATCH 29/30] selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit 4de43387235cb17a185fdd1afd658972e8c174ef) --- selftest/target/Samba4.pm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 31889ef..2be404f 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1362,6 +1362,10 @@ sub provision_fl2000dc($$) my ($self, $prefix) = @_; print "PROVISIONING DC WITH FOREST LEVEL 2000..."; + my $extra_conf_options = " + spnego:simulate_w2k=yes + ntlmssp_server:force_old_spnego=yes +"; my $ret = $self->provision($prefix, "domain controller", "dc5", @@ -1371,7 +1375,7 @@ sub provision_fl2000dc($$) "locDCpass5", undef, undef, - "", + $extra_conf_options, "", undef); -- 1.9.1 From 786ff894d0c015ec2e5d479c18f5f159dd6ca322 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 25 Apr 2016 16:12:47 +0200 Subject: [PATCH 30/30] s3:selftest: add smbclient_ntlm tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We test all combinations of NT1 with and without spnego and SMB3 for user, anonymous and guest authentication. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Thu Apr 28 20:16:45 CEST 2016 on sn-devel-144 (cherry picked from commit eee88e07b3e68efb467b390536eea4155b5ced7e) --- source3/script/tests/test_smbclient_ntlm.sh | 40 +++++++++++++++++++++++++++++ source3/selftest/tests.py | 4 ++- 2 files changed, 43 insertions(+), 1 deletion(-) create mode 100755 source3/script/tests/test_smbclient_ntlm.sh diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh new file mode 100755 index 0000000..b8fc564 --- /dev/null +++ b/source3/script/tests/test_smbclient_ntlm.sh @@ -0,0 +1,40 @@ +#!/bin/sh + +# this runs a smbclient based authentication tests + +if [ $# -lt 5 ]; then +cat < +EOF +exit 1; +fi + +SERVER="$1" +USERNAME="$2" +PASSWORD="$3" +MAPTOGUEST="$4" +SMBCLIENT="$5" +SMBCLIENT="$VALGRIND ${SMBCLIENT}" +shift 5 +ADDARGS="$*" + +incdir=`dirname $0`/../../../testprogs/blackbox +. $incdir/subunit.sh + +testit "smbclient username.password.NT1OLD" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U$USERNAME%$PASSWORD -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no -c quit $ADDARGS +testit "smbclient username.password.NT1NEW" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U$USERNAME%$PASSWORD -mNT1 -c quit $ADDARGS +testit "smbclient username.password.SMB3" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U$USERNAME%$PASSWORD -mSMB3 -c quit $ADDARGS + +testit "smbclient anonymous.nopassword.NT1OLD" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U% -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no -c quit $ADDARGS +testit "smbclient anonymous.nopassword.NT1NEW" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U% -mNT1 -c quit $ADDARGS +testit "smbclient anonymous.nopassword.SMB3" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U% -mSMB3 -c quit $ADDARGS +if test x"${MAPTOGUEST}" = x"never" ; then + testit_expect_failure "smbclient anonymous.badpassword.NT1NEW.fail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mNT1 -c quit $ADDARGS + testit_expect_failure "smbclient anonymous.badpassword.SMB3.fail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mSMB3 -c quit $ADDARGS +else + testit "smbclient anonymous.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mNT1 -c quit $ADDARGS + testit "smbclient anonymous.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mSMB3 -c quit $ADDARGS + + testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS + testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS +fi diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index 35e81fc..c0108e0 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -129,8 +129,9 @@ for options in ["--option=clientusespnego=no", " --option=clientntlmv2auth=no -- env = "nt4_dc" plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options]) -for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc_ntvfs", "s4member"]: +for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc_ntvfs", "s4member", "fl2000dc"]: plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration]) + plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration]) for env in ["nt4_dc", "nt4_member", "ad_member"]: plantestsuite("samba3.blackbox.smbclient_auth.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration]) @@ -159,6 +160,7 @@ for env in ["maptoguest", "simpleserver"]: env = "maptoguest" plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) bad username" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', 'notmy$USERNAME', '$PASSWORD', smbclient3, configuration + " --option=clientntlmv2auth=no --option=clientlanmanauth=yes"]) +plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$USERNAME', '$PASSWORD', "baduser", smbclient3, configuration]) # plain for env in ["nt4_dc"]: -- 1.9.1