From 28aaa68429f995bfb11e2a0a27d857f5b4d8ecad Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 9 May 2018 13:30:13 +0200 Subject: [PATCH 1/3] auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal option This will be used to similate a Windows client only using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP connection, which is indicated internally by GENSEC_FEATURE_LDAP_STYLE. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher --- auth/ntlmssp/ntlmssp_client.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index db2003f..54fda41 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -865,13 +865,23 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) * is requested. */ ntlmssp_state->force_wrap_seal = true; - /* - * We want also work against old Samba servers - * which didn't had GENSEC_FEATURE_LDAP_STYLE - * we negotiate SEAL too. We may remove this - * in a few years. As all servers should have - * GENSEC_FEATURE_LDAP_STYLE by then. - */ + } + } + if (ntlmssp_state->force_wrap_seal) { + bool ret; + + /* + * We want also work against old Samba servers + * which didn't had GENSEC_FEATURE_LDAP_STYLE + * we negotiate SEAL too. We may remove this + * in a few years. As all servers should have + * GENSEC_FEATURE_LDAP_STYLE by then. + */ + ret = gensec_setting_bool(gensec_security->settings, + "ntlmssp_client", + "ldap_style_send_seal", + true); + if (ret) { ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; } } -- 1.9.1 From 6ed5bcb51001c21f14831f9981bfd71d1fb30d49 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 9 May 2018 13:33:05 +0200 Subject: [PATCH 2/3] s4:selftest: run test_ldb_simple.sh with more auth options This demonstrates the broken GENSEC_FEATURE_LDAP_STYLE handling in our LDAP server. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher --- selftest/knownfail.d/ntlmssp_ldap_style_send_seal | 1 + source4/selftest/tests.py | 7 +++++++ 2 files changed, 8 insertions(+) create mode 100644 selftest/knownfail.d/ntlmssp_ldap_style_send_seal diff --git a/selftest/knownfail.d/ntlmssp_ldap_style_send_seal b/selftest/knownfail.d/ntlmssp_ldap_style_send_seal new file mode 100644 index 0000000..0cd7cc2 --- /dev/null +++ b/selftest/knownfail.d/ntlmssp_ldap_style_send_seal @@ -0,0 +1 @@ +^samba4.ldb.simple.ldap.*ldap_style_send_seal=no diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index ecf2c21..3b72104 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -113,6 +113,13 @@ for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]: '--option=clientldapsaslwrapping=plain', '--sign', '--encrypt', + '-k yes --option=clientldapsaslwrapping=plain', + '-k yes --sign', + '-k yes --encrypt', + '-k no --option=clientldapsaslwrapping=plain', + '-k no --sign --option=ntlmssp_client:ldap_style_send_seal=no', + '-k no --sign', + '-k no --encrypt', ] for auth_option in auth_options: -- 1.9.1 From 109f0487abdafc16a31a221f1ff57dccb0b2a775 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 7 May 2018 14:50:27 +0200 Subject: [PATCH 3/3] auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!" error messages, which were generated if the client only sends NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP connection. This fixes a regession in the combination of commits 77adac8c3cd2f7419894d18db735782c9646a202 and 3a0b835408a6efa339e8b34333906bfe3aacd6e3. We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end of the authentication (as a server), while we need to (any already do so at the beginning as a client). Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher --- auth/ntlmssp/gensec_ntlmssp_server.c | 19 ------------------- auth/ntlmssp/ntlmssp_server.c | 8 ++++++++ selftest/knownfail.d/ntlmssp_ldap_style_send_seal | 1 - 3 files changed, 8 insertions(+), 20 deletions(-) delete mode 100644 selftest/knownfail.d/ntlmssp_ldap_style_send_seal diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c index c0e6cff..ab92f4d 100644 --- a/auth/ntlmssp/gensec_ntlmssp_server.c +++ b/auth/ntlmssp/gensec_ntlmssp_server.c @@ -179,25 +179,6 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; - if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - } - if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - - if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) { - /* - * We need to handle NTLMSSP_NEGOTIATE_SIGN as - * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE - * is requested. - */ - ntlmssp_state->force_wrap_seal = true; - } - } - if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; - } if (role == ROLE_STANDALONE) { ntlmssp_state->server.is_standalone = true; diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c index 37ed2bc..140e89d 100644 --- a/auth/ntlmssp/ntlmssp_server.c +++ b/auth/ntlmssp/ntlmssp_server.c @@ -1080,6 +1080,14 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security, data_blob_free(&ntlmssp_state->challenge_blob); if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) { + /* + * We need to handle NTLMSSP_NEGOTIATE_SIGN as + * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE + * is requested. + */ + ntlmssp_state->force_wrap_seal = true; + } nt_status = ntlmssp_sign_init(ntlmssp_state); } diff --git a/selftest/knownfail.d/ntlmssp_ldap_style_send_seal b/selftest/knownfail.d/ntlmssp_ldap_style_send_seal deleted file mode 100644 index 0cd7cc2..0000000 --- a/selftest/knownfail.d/ntlmssp_ldap_style_send_seal +++ /dev/null @@ -1 +0,0 @@ -^samba4.ldb.simple.ldap.*ldap_style_send_seal=no -- 1.9.1