Attachment 14187 Details for Bug 13427 – Possible patches for master

[patch] Possible patches for master

tmp.diff.txt (text/plain), 6.67 KB, created by Stefan Metzmacher on 2018-05-09 12:11:47 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stefan Metzmacher

Created: 2018-05-09 12:11:47 UTC

Size: 6.67 KB

patch

obsolete

>From 28aaa68429f995bfb11e2a0a27d857f5b4d8ecad Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Wed, 9 May 2018 13:30:13 +0200
>Subject: [PATCH 1/3] auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal
> option
>
>This will be used to similate a Windows client only
>using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL
>on an LDAP connection, which is indicated internally by
>GENSEC_FEATURE_LDAP_STYLE.
>
>Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> auth/ntlmssp/ntlmssp_client.c | 24 +++++++++++++++++-------
> 1 file changed, 17 insertions(+), 7 deletions(-)
>
>diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
>index db2003f..54fda41 100644
>--- a/auth/ntlmssp/ntlmssp_client.c
>+++ b/auth/ntlmssp/ntlmssp_client.c
>@@ -865,13 +865,23 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
> 			 * is requested.
> 			 */
> 			ntlmssp_state->force_wrap_seal = true;
>-			/*
>-			 * We want also work against old Samba servers
>-			 * which didn't had GENSEC_FEATURE_LDAP_STYLE
>-			 * we negotiate SEAL too. We may remove this
>-			 * in a few years. As all servers should have
>-			 * GENSEC_FEATURE_LDAP_STYLE by then.
>-			 */
>+		}
>+	}
>+	if (ntlmssp_state->force_wrap_seal) {
>+		bool ret;
>+
>+		/*
>+		 * We want also work against old Samba servers
>+		 * which didn't had GENSEC_FEATURE_LDAP_STYLE
>+		 * we negotiate SEAL too. We may remove this
>+		 * in a few years. As all servers should have
>+		 * GENSEC_FEATURE_LDAP_STYLE by then.
>+		 */
>+		ret = gensec_setting_bool(gensec_security->settings,
>+					  "ntlmssp_client",
>+					  "ldap_style_send_seal",
>+					  true);
>+		if (ret) {
> 			ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
> 		}
> 	}
>-- 
>1.9.1
>
>
>From 6ed5bcb51001c21f14831f9981bfd71d1fb30d49 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Wed, 9 May 2018 13:33:05 +0200
>Subject: [PATCH 2/3] s4:selftest: run test_ldb_simple.sh with more auth
> options
>
>This demonstrates the broken GENSEC_FEATURE_LDAP_STYLE
>handling in our LDAP server.
>
>Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> selftest/knownfail.d/ntlmssp_ldap_style_send_seal | 1 +
> source4/selftest/tests.py                         | 7 +++++++
> 2 files changed, 8 insertions(+)
> create mode 100644 selftest/knownfail.d/ntlmssp_ldap_style_send_seal
>
>diff --git a/selftest/knownfail.d/ntlmssp_ldap_style_send_seal b/selftest/knownfail.d/ntlmssp_ldap_style_send_seal
>new file mode 100644
>index 0000000..0cd7cc2
>--- /dev/null
>+++ b/selftest/knownfail.d/ntlmssp_ldap_style_send_seal
>@@ -0,0 +1 @@
>+^samba4.ldb.simple.ldap.*ldap_style_send_seal=no
>diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
>index ecf2c21..3b72104 100755
>--- a/source4/selftest/tests.py
>+++ b/source4/selftest/tests.py
>@@ -113,6 +113,13 @@ for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]:
>         '--option=clientldapsaslwrapping=plain',
>         '--sign',
>         '--encrypt',
>+        '-k yes --option=clientldapsaslwrapping=plain',
>+        '-k yes --sign',
>+        '-k yes --encrypt',
>+        '-k no --option=clientldapsaslwrapping=plain',
>+        '-k no --sign --option=ntlmssp_client:ldap_style_send_seal=no',
>+        '-k no --sign',
>+        '-k no --encrypt',
>     ]
> 
>     for auth_option in auth_options:
>-- 
>1.9.1
>
>
>From 109f0487abdafc16a31a221f1ff57dccb0b2a775 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Mon, 7 May 2018 14:50:27 +0200
>Subject: [PATCH 3/3] auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE
> as a server
>
>This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!"
>error messages, which were generated if the client only sends
>NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP
>connection.
>
>This fixes a regession in the combination of commits
>77adac8c3cd2f7419894d18db735782c9646a202 and
>3a0b835408a6efa339e8b34333906bfe3aacd6e3.
>
>We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end
>of the authentication (as a server), while we need to (any already
>do so at the beginning as a client).
>
>Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427
>
>Signed-off-by: Stefan Metzmacher <metze@samba.org>
>---
> auth/ntlmssp/gensec_ntlmssp_server.c              | 19 -------------------
> auth/ntlmssp/ntlmssp_server.c                     |  8 ++++++++
> selftest/knownfail.d/ntlmssp_ldap_style_send_seal |  1 -
> 3 files changed, 8 insertions(+), 20 deletions(-)
> delete mode 100644 selftest/knownfail.d/ntlmssp_ldap_style_send_seal
>
>diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
>index c0e6cff..ab92f4d 100644
>--- a/auth/ntlmssp/gensec_ntlmssp_server.c
>+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
>@@ -179,25 +179,6 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
> 	ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
> 	ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
> 
>-	if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
>-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
>-	}
>-	if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
>-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
>-
>-		if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
>-			/*
>-			 * We need to handle NTLMSSP_NEGOTIATE_SIGN as
>-			 * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
>-			 * is requested.
>-			 */
>-			ntlmssp_state->force_wrap_seal = true;
>-		}
>-	}
>-	if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
>-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
>-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
>-	}
> 
> 	if (role == ROLE_STANDALONE) {
> 		ntlmssp_state->server.is_standalone = true;
>diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
>index 37ed2bc..140e89d 100644
>--- a/auth/ntlmssp/ntlmssp_server.c
>+++ b/auth/ntlmssp/ntlmssp_server.c
>@@ -1080,6 +1080,14 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
> 	data_blob_free(&ntlmssp_state->challenge_blob);
> 
> 	if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
>+		if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
>+			/*
>+			 * We need to handle NTLMSSP_NEGOTIATE_SIGN as
>+			 * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
>+			 * is requested.
>+			 */
>+			ntlmssp_state->force_wrap_seal = true;
>+		}
> 		nt_status = ntlmssp_sign_init(ntlmssp_state);
> 	}
> 
>diff --git a/selftest/knownfail.d/ntlmssp_ldap_style_send_seal b/selftest/knownfail.d/ntlmssp_ldap_style_send_seal
>deleted file mode 100644
>index 0cd7cc2..0000000
>--- a/selftest/knownfail.d/ntlmssp_ldap_style_send_seal
>+++ /dev/null
>@@ -1 +0,0 @@
>-^samba4.ldb.simple.ldap.*ldap_style_send_seal=no
>-- 
>1.9.1
>

Actions: View

Attachments on bug 13427: 14187 | 14202 | 14203