The Samba-Bugzilla – Attachment 13003 Details for
Bug 12557
gse_krb5 doesn't trigger a possible fallback to NTLMSSP via spnego
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.6
ntlmssp_fallback_v4-6.patch (text/plain), 6.71 KB, created by
Andreas Schneider
on 2017-03-02 12:46:48 UTC
(
hide
)
Description:
patch for 4.6
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2017-03-02 12:46:48 UTC
Size:
6.71 KB
patch
obsolete
>From 115d9c3c476a79c778833690377dd6d71b973fa8 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 20 Jan 2017 17:15:49 +0100 >Subject: [PATCH 1/2] gensec:spnego: Add debug message for the failed principal > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12557 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andreas Schneider <asn@samba.org> >(cherry picked from commit 4194a67c7efcb58ef2bb7efa1d1556d5fa0ce2e0) >--- > auth/gensec/spnego.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++----- > 1 file changed, 53 insertions(+), 5 deletions(-) > >diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c >index 47878922f96..f063f7b358b 100644 >--- a/auth/gensec/spnego.c >+++ b/auth/gensec/spnego.c >@@ -511,10 +511,34 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ > NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_LOGON_SERVERS) || > NT_STATUS_EQUAL(nt_status, NT_STATUS_TIME_DIFFERENCE_AT_DC) || > NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) { >- /* Pretend we never started it (lets the first run find some incompatible demand) */ >+ const char *next = NULL; >+ const char *principal = NULL; >+ int dbg_level = DBGLVL_WARNING; >+ >+ if (all_sec[i+1].op != NULL) { >+ next = all_sec[i+1].op->name; >+ dbg_level = DBGLVL_NOTICE; >+ } >+ >+ if (gensec_security->target.principal != NULL) { >+ principal = gensec_security->target.principal; >+ } else if (gensec_security->target.service != NULL && >+ gensec_security->target.hostname != NULL) >+ { >+ principal = talloc_asprintf(spnego_state->sub_sec_security, >+ "%s/%s", >+ gensec_security->target.service, >+ gensec_security->target.hostname); >+ } else { >+ principal = gensec_security->target.hostname; >+ } >+ >+ DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n", >+ spnego_state->sub_sec_security->ops->name, >+ principal, >+ next, nt_errstr(nt_status))); > >- DEBUG(3, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n", >- spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status))); >+ /* Pretend we never started it (lets the first run find some incompatible demand) */ > talloc_free(spnego_state->sub_sec_security); > spnego_state->sub_sec_security = NULL; > continue; >@@ -619,8 +643,32 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec > > if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) > && !NT_STATUS_IS_OK(nt_status)) { >- DEBUG(1, ("SPNEGO(%s) creating NEG_TOKEN_INIT failed: %s\n", >- spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status))); >+ const char *next = NULL; >+ const char *principal = NULL; >+ int dbg_level = DBGLVL_WARNING; >+ >+ if (all_sec[i+1].op != NULL) { >+ next = all_sec[i+1].op->name; >+ dbg_level = DBGLVL_NOTICE; >+ } >+ >+ if (gensec_security->target.principal != NULL) { >+ principal = gensec_security->target.principal; >+ } else if (gensec_security->target.service != NULL && >+ gensec_security->target.hostname != NULL) >+ { >+ principal = talloc_asprintf(spnego_state->sub_sec_security, >+ "%s/%s", >+ gensec_security->target.service, >+ gensec_security->target.hostname); >+ } else { >+ principal = gensec_security->target.hostname; >+ } >+ >+ DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n", >+ spnego_state->sub_sec_security->ops->name, >+ principal, >+ next, nt_errstr(nt_status))); > talloc_free(spnego_state->sub_sec_security); > spnego_state->sub_sec_security = NULL; > /* Pretend we never started it (lets the first run find some incompatible demand) */ >-- >2.12.0 > > >From 70a00e4981d852ac9e11d4a9ab8f533428c795d2 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Mon, 27 Feb 2017 17:18:15 +0100 >Subject: [PATCH 2/2] s3:librpc: Handle gss_min in gse_get_client_auth_token() > correctly > >This will make sure we correctly fall back to NTLMSSP. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12557 > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> >Signed-off-by: Andreas Schneider <asn@samba.org> >Signed-off-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Thu Mar 2 12:41:40 CET 2017 on sn-devel-144 > >(cherry picked from commit ed42d6e81f6c7cf4ed78b2bc9fcdf6c9d970ca55) >--- > source3/librpc/crypto/gse.c | 46 +++++++++++++++++++++++++++++++++++++++------ > 1 file changed, 40 insertions(+), 6 deletions(-) > >diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c >index 99971d30881..abf20bc7dfd 100644 >--- a/source3/librpc/crypto/gse.c >+++ b/source3/librpc/crypto/gse.c >@@ -345,14 +345,48 @@ static NTSTATUS gse_get_client_auth_token(TALLOC_CTX *mem_ctx, > /* we will need a third leg */ > status = NT_STATUS_MORE_PROCESSING_REQUIRED; > break; >- default: >- if ((gss_maj == GSS_S_FAILURE) && >- (gss_min == (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED)) { >+ case GSS_S_CONTEXT_EXPIRED: >+ /* Make SPNEGO ignore us, we can't go any further here */ >+ DBG_NOTICE("Context expired\n"); >+ status = NT_STATUS_INVALID_PARAMETER; >+ goto done; >+ case GSS_S_FAILURE: >+ switch (gss_min) { >+ case (OM_uint32)KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: >+ DBG_NOTICE("Server principal not found\n"); >+ /* Make SPNEGO ignore us, we can't go any further here */ >+ status = NT_STATUS_INVALID_PARAMETER; >+ goto done; >+ case (OM_uint32)KRB5KRB_AP_ERR_TKT_EXPIRED: > DBG_NOTICE("Ticket expired\n"); >- } else { >- DBG_ERR("gss_init_sec_context failed with [%s]\n", >- gse_errstr(talloc_tos(), gss_maj, gss_min)); >+ /* Make SPNEGO ignore us, we can't go any further here */ >+ status = NT_STATUS_INVALID_PARAMETER; >+ goto done; >+ case (OM_uint32)KRB5KRB_AP_ERR_TKT_NYV: >+ DBG_NOTICE("Clockskew\n"); >+ /* Make SPNEGO ignore us, we can't go any further here */ >+ status = NT_STATUS_TIME_DIFFERENCE_AT_DC; >+ goto done; >+ case (OM_uint32)KRB5_KDC_UNREACH: >+ DBG_NOTICE("KDC unreachable\n"); >+ /* Make SPNEGO ignore us, we can't go any further here */ >+ status = NT_STATUS_NO_LOGON_SERVERS; >+ goto done; >+ case (OM_uint32)KRB5KRB_AP_ERR_MSG_TYPE: >+ /* Garbage input, possibly from the auto-mech detection */ >+ status = NT_STATUS_INVALID_PARAMETER; >+ goto done; >+ default: >+ DBG_ERR("gss_init_sec_context failed with [%s](%u)\n", >+ gse_errstr(talloc_tos(), gss_maj, gss_min), >+ gss_min); >+ status = NT_STATUS_LOGON_FAILURE; >+ goto done; > } >+ break; >+ default: >+ DBG_ERR("gss_init_sec_context failed with [%s]\n", >+ gse_errstr(talloc_tos(), gss_maj, gss_min)); > status = NT_STATUS_INTERNAL_ERROR; > goto done; > } >-- >2.12.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 12557
: 13003