The Samba-Bugzilla – Attachment 14187 Details for
Bug 13427
broken server side GENSEC_FEATURE_LDAP_STYLE handling (NTLMSSP NTLM2 packet check failed due to invalid signature!)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Possible patches for master
tmp.diff.txt (text/plain), 6.67 KB, created by
Stefan Metzmacher
on 2018-05-09 12:11:47 UTC
(
hide
)
Description:
Possible patches for master
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2018-05-09 12:11:47 UTC
Size:
6.67 KB
patch
obsolete
>From 28aaa68429f995bfb11e2a0a27d857f5b4d8ecad Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 9 May 2018 13:30:13 +0200 >Subject: [PATCH 1/3] auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal > option > >This will be used to similate a Windows client only >using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL >on an LDAP connection, which is indicated internally by >GENSEC_FEATURE_LDAP_STYLE. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > auth/ntlmssp/ntlmssp_client.c | 24 +++++++++++++++++------- > 1 file changed, 17 insertions(+), 7 deletions(-) > >diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c >index db2003f..54fda41 100644 >--- a/auth/ntlmssp/ntlmssp_client.c >+++ b/auth/ntlmssp/ntlmssp_client.c >@@ -865,13 +865,23 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) > * is requested. > */ > ntlmssp_state->force_wrap_seal = true; >- /* >- * We want also work against old Samba servers >- * which didn't had GENSEC_FEATURE_LDAP_STYLE >- * we negotiate SEAL too. We may remove this >- * in a few years. As all servers should have >- * GENSEC_FEATURE_LDAP_STYLE by then. >- */ >+ } >+ } >+ if (ntlmssp_state->force_wrap_seal) { >+ bool ret; >+ >+ /* >+ * We want also work against old Samba servers >+ * which didn't had GENSEC_FEATURE_LDAP_STYLE >+ * we negotiate SEAL too. We may remove this >+ * in a few years. As all servers should have >+ * GENSEC_FEATURE_LDAP_STYLE by then. >+ */ >+ ret = gensec_setting_bool(gensec_security->settings, >+ "ntlmssp_client", >+ "ldap_style_send_seal", >+ true); >+ if (ret) { > ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; > } > } >-- >1.9.1 > > >From 6ed5bcb51001c21f14831f9981bfd71d1fb30d49 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 9 May 2018 13:33:05 +0200 >Subject: [PATCH 2/3] s4:selftest: run test_ldb_simple.sh with more auth > options > >This demonstrates the broken GENSEC_FEATURE_LDAP_STYLE >handling in our LDAP server. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > selftest/knownfail.d/ntlmssp_ldap_style_send_seal | 1 + > source4/selftest/tests.py | 7 +++++++ > 2 files changed, 8 insertions(+) > create mode 100644 selftest/knownfail.d/ntlmssp_ldap_style_send_seal > >diff --git a/selftest/knownfail.d/ntlmssp_ldap_style_send_seal b/selftest/knownfail.d/ntlmssp_ldap_style_send_seal >new file mode 100644 >index 0000000..0cd7cc2 >--- /dev/null >+++ b/selftest/knownfail.d/ntlmssp_ldap_style_send_seal >@@ -0,0 +1 @@ >+^samba4.ldb.simple.ldap.*ldap_style_send_seal=no >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index ecf2c21..3b72104 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -113,6 +113,13 @@ for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]: > '--option=clientldapsaslwrapping=plain', > '--sign', > '--encrypt', >+ '-k yes --option=clientldapsaslwrapping=plain', >+ '-k yes --sign', >+ '-k yes --encrypt', >+ '-k no --option=clientldapsaslwrapping=plain', >+ '-k no --sign --option=ntlmssp_client:ldap_style_send_seal=no', >+ '-k no --sign', >+ '-k no --encrypt', > ] > > for auth_option in auth_options: >-- >1.9.1 > > >From 109f0487abdafc16a31a221f1ff57dccb0b2a775 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 7 May 2018 14:50:27 +0200 >Subject: [PATCH 3/3] auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE > as a server > >This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!" >error messages, which were generated if the client only sends >NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP >connection. > >This fixes a regession in the combination of commits >77adac8c3cd2f7419894d18db735782c9646a202 and >3a0b835408a6efa339e8b34333906bfe3aacd6e3. > >We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end >of the authentication (as a server), while we need to (any already >do so at the beginning as a client). > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > auth/ntlmssp/gensec_ntlmssp_server.c | 19 ------------------- > auth/ntlmssp/ntlmssp_server.c | 8 ++++++++ > selftest/knownfail.d/ntlmssp_ldap_style_send_seal | 1 - > 3 files changed, 8 insertions(+), 20 deletions(-) > delete mode 100644 selftest/knownfail.d/ntlmssp_ldap_style_send_seal > >diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c >index c0e6cff..ab92f4d 100644 >--- a/auth/ntlmssp/gensec_ntlmssp_server.c >+++ b/auth/ntlmssp/gensec_ntlmssp_server.c >@@ -179,25 +179,6 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) > ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; > ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; > >- if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) { >- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; >- } >- if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { >- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; >- >- if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) { >- /* >- * We need to handle NTLMSSP_NEGOTIATE_SIGN as >- * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE >- * is requested. >- */ >- ntlmssp_state->force_wrap_seal = true; >- } >- } >- if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { >- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; >- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; >- } > > if (role == ROLE_STANDALONE) { > ntlmssp_state->server.is_standalone = true; >diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c >index 37ed2bc..140e89d 100644 >--- a/auth/ntlmssp/ntlmssp_server.c >+++ b/auth/ntlmssp/ntlmssp_server.c >@@ -1080,6 +1080,14 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security, > data_blob_free(&ntlmssp_state->challenge_blob); > > if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { >+ if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) { >+ /* >+ * We need to handle NTLMSSP_NEGOTIATE_SIGN as >+ * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE >+ * is requested. >+ */ >+ ntlmssp_state->force_wrap_seal = true; >+ } > nt_status = ntlmssp_sign_init(ntlmssp_state); > } > >diff --git a/selftest/knownfail.d/ntlmssp_ldap_style_send_seal b/selftest/knownfail.d/ntlmssp_ldap_style_send_seal >deleted file mode 100644 >index 0cd7cc2..0000000 >--- a/selftest/knownfail.d/ntlmssp_ldap_style_send_seal >+++ /dev/null >@@ -1 +0,0 @@ >-^samba4.ldb.simple.ldap.*ldap_style_send_seal=no >-- >1.9.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13427
: 14187 |
14202
|
14203