From 5739fba0cff2086e91c80b14e5d59a42e1fe26cc Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 31 Aug 2016 12:33:19 -0700
Subject: [PATCH 1/3] auth: gensec: Add new flag
 GENSEC_FEATURE_SPENGO_IGNORE_SERVER_MIC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 auth/gensec/gensec.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index e8bd7b1..8eb3173 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -63,6 +63,7 @@ struct gensec_target {
 #define GENSEC_FEATURE_UNIX_TOKEN	0x00000100
 #define GENSEC_FEATURE_NTLM_CCACHE	0x00000200
 #define GENSEC_FEATURE_LDAP_STYLE	0x00000400
+#define GENSEC_FEATURE_SPENGO_IGNORE_SERVER_MIC	0x00000800
 
 #define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL
 
-- 
2.8.0.rc3.226.g39d4020


From c2bb4767f77947fdbfe059f253cb313084f29606 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 31 Aug 2016 13:13:08 -0700
Subject: [PATCH 2/3] auth: gensec: Implement spnego feature
 GENSEC_FEATURE_SPENGO_IGNORE_SERVER_MIC.

Needed for Microsoft Azure and Apple El Capitan SMB Servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 auth/gensec/spnego.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index ef30ab7..4db44af 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1171,6 +1171,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 		{
 			bool have_sign = true;
 			bool new_spnego = false;
+			bool ignore_mic = false;
 
 			have_sign = gensec_have_feature(spnego_state->sub_sec_security,
 							GENSEC_FEATURE_SIGN);
@@ -1182,6 +1183,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 
 			switch (spnego.negTokenTarg.negResult) {
 			case SPNEGO_ACCEPT_COMPLETED:
+				/*
+				 * Does the client want us to ignore the
+				 * fact the server didn't send a mechListMIC
+				 * in the accept-completed reply ?
+				 * Microsoft Azure and Apple El Capitan
+				 * SMB Servers have this bug.
+				 */
+				ignore_mic = gensec_have_feature(
+					spnego_state->sub_sec_security,
+					GENSEC_FEATURE_SPENGO_IGNORE_SERVER_MIC);
+				if (ignore_mic &&
+					spnego.negTokenTarg.mechListMIC.length
+						== 0) {
+					new_spnego = false;
+				}
+				break;
+
 			case SPNEGO_NONE_RESULT:
 				if (spnego_state->num_targs == 1) {
 					/*
-- 
2.8.0.rc3.226.g39d4020


From cee5ffe89e5b1aa4c9a0e423803f59a4e9a29b92 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 31 Aug 2016 13:15:14 -0700
Subject: [PATCH 3/3] s3: libsmb: Allow connection to SMB servers that don't
 return a mechListMic value in the final accept-complete spnego exchange.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source3/libsmb/cliconnect.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 9c8851f..b007c2a 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1348,6 +1348,8 @@ static struct tevent_req *cli_session_setup_gensec_send(
 
 	gensec_want_feature(state->auth_generic->gensec_security,
 			    GENSEC_FEATURE_SESSION_KEY);
+	gensec_want_feature(state->auth_generic->gensec_security,
+			    GENSEC_FEATURE_SPENGO_IGNORE_SERVER_MIC);
 	if (cli->use_ccache) {
 		gensec_want_feature(state->auth_generic->gensec_security,
 				    GENSEC_FEATURE_NTLM_CCACHE);
-- 
2.8.0.rc3.226.g39d4020