The Samba-Bugzilla – Attachment 14202 Details for
Bug 13427
broken server side GENSEC_FEATURE_LDAP_STYLE handling (NTLMSSP NTLM2 packet check failed due to invalid signature!)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.8 cherry-picked from master
ntlmssp.patch.txt (text/plain), 7.71 KB, created by
Andrew Bartlett
on 2018-05-16 10:15:48 UTC
(
hide
)
Description:
patch for 4.8 cherry-picked from master
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2018-05-16 10:15:48 UTC
Size:
7.71 KB
patch
obsolete
>From 31e168958987826ab7cce61b854daf2a8f3f2adb Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 9 May 2018 13:30:13 +0200 >Subject: [PATCH 1/3] auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal > option > >This will be used to similate a Windows client only >using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL >on an LDAP connection, which is indicated internally by >GENSEC_FEATURE_LDAP_STYLE. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 7f2bebf09cd8056b3f901dd9ff1fc9e9525f3e9d) >--- > auth/ntlmssp/ntlmssp_client.c | 24 +++++++++++++++++------- > 1 file changed, 17 insertions(+), 7 deletions(-) > >diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c >index db2003f0d6b..54fda41b534 100644 >--- a/auth/ntlmssp/ntlmssp_client.c >+++ b/auth/ntlmssp/ntlmssp_client.c >@@ -865,13 +865,23 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) > * is requested. > */ > ntlmssp_state->force_wrap_seal = true; >- /* >- * We want also work against old Samba servers >- * which didn't had GENSEC_FEATURE_LDAP_STYLE >- * we negotiate SEAL too. We may remove this >- * in a few years. As all servers should have >- * GENSEC_FEATURE_LDAP_STYLE by then. >- */ >+ } >+ } >+ if (ntlmssp_state->force_wrap_seal) { >+ bool ret; >+ >+ /* >+ * We want also work against old Samba servers >+ * which didn't had GENSEC_FEATURE_LDAP_STYLE >+ * we negotiate SEAL too. We may remove this >+ * in a few years. As all servers should have >+ * GENSEC_FEATURE_LDAP_STYLE by then. >+ */ >+ ret = gensec_setting_bool(gensec_security->settings, >+ "ntlmssp_client", >+ "ldap_style_send_seal", >+ true); >+ if (ret) { > ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; > } > } >-- >2.14.3 > > >From 1734791570ff0eb57a04fef779a093c20c83ed9d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 9 May 2018 13:33:05 +0200 >Subject: [PATCH 2/3] s4:selftest: run test_ldb_simple.sh with more auth > options > >This demonstrates the broken GENSEC_FEATURE_LDAP_STYLE >handling in our LDAP server. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit fc1c5bd3be2c3f90eab2f31e43cf053f7ff13782) >--- > selftest/knownfail.d/ntlmssp_ldap_style_send_seal | 1 + > source4/selftest/tests.py | 7 +++++++ > 2 files changed, 8 insertions(+) > create mode 100644 selftest/knownfail.d/ntlmssp_ldap_style_send_seal > >diff --git a/selftest/knownfail.d/ntlmssp_ldap_style_send_seal b/selftest/knownfail.d/ntlmssp_ldap_style_send_seal >new file mode 100644 >index 00000000000..0cd7cc2ea39 >--- /dev/null >+++ b/selftest/knownfail.d/ntlmssp_ldap_style_send_seal >@@ -0,0 +1 @@ >+^samba4.ldb.simple.ldap.*ldap_style_send_seal=no >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index 621a61347bc..226617f3b6a 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -116,6 +116,13 @@ for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]: > '--option=clientldapsaslwrapping=plain', > '--sign', > '--encrypt', >+ '-k yes --option=clientldapsaslwrapping=plain', >+ '-k yes --sign', >+ '-k yes --encrypt', >+ '-k no --option=clientldapsaslwrapping=plain', >+ '-k no --sign --option=ntlmssp_client:ldap_style_send_seal=no', >+ '-k no --sign', >+ '-k no --encrypt', > ] > > for auth_option in auth_options: >-- >2.14.3 > > >From 4b612bcfb938a49b2725e913a95004bd9fa6c3c3 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 7 May 2018 14:50:27 +0200 >Subject: [PATCH 3/3] auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE > as a server > >This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!" >error messages, which were generated if the client only sends >NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP >connection. > >This fixes a regession in the combination of commits >77adac8c3cd2f7419894d18db735782c9646a202 and >3a0b835408a6efa339e8b34333906bfe3aacd6e3. > >We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end >of the authentication (as a server, while we already >do so at the beginning as a client). > >As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE >(as an internal flag) in order to let us work as a >Windows using NTLMSSP for LDAP. Even if only signing is >negotiated during the authentication the following PDUs >will still be encrypted if NTLMSSP is used. This is exactly the >same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL. >I guess it's a bug in Windows, but we have to reimplement that >bug. Note this only applies to NTLMSSP and only to LDAP! >Signing only works fine for LDAP with Kerberos >or DCERPC and NTLMSSP. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144 > >(cherry picked from commit c7a3ce95ac4ce837d8fde36578b3b1f56c3ac2fa) >--- > auth/ntlmssp/gensec_ntlmssp_server.c | 19 ------------------- > auth/ntlmssp/ntlmssp_server.c | 8 ++++++++ > selftest/knownfail.d/ntlmssp_ldap_style_send_seal | 1 - > 3 files changed, 8 insertions(+), 20 deletions(-) > delete mode 100644 selftest/knownfail.d/ntlmssp_ldap_style_send_seal > >diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c >index c0e6cff5952..ab92f4d0c09 100644 >--- a/auth/ntlmssp/gensec_ntlmssp_server.c >+++ b/auth/ntlmssp/gensec_ntlmssp_server.c >@@ -179,25 +179,6 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) > ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; > ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; > >- if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) { >- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; >- } >- if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { >- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; >- >- if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) { >- /* >- * We need to handle NTLMSSP_NEGOTIATE_SIGN as >- * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE >- * is requested. >- */ >- ntlmssp_state->force_wrap_seal = true; >- } >- } >- if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { >- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; >- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; >- } > > if (role == ROLE_STANDALONE) { > ntlmssp_state->server.is_standalone = true; >diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c >index 37ed2bc9565..140e89daeb1 100644 >--- a/auth/ntlmssp/ntlmssp_server.c >+++ b/auth/ntlmssp/ntlmssp_server.c >@@ -1080,6 +1080,14 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security, > data_blob_free(&ntlmssp_state->challenge_blob); > > if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { >+ if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) { >+ /* >+ * We need to handle NTLMSSP_NEGOTIATE_SIGN as >+ * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE >+ * is requested. >+ */ >+ ntlmssp_state->force_wrap_seal = true; >+ } > nt_status = ntlmssp_sign_init(ntlmssp_state); > } > >diff --git a/selftest/knownfail.d/ntlmssp_ldap_style_send_seal b/selftest/knownfail.d/ntlmssp_ldap_style_send_seal >deleted file mode 100644 >index 0cd7cc2ea39..00000000000 >--- a/selftest/knownfail.d/ntlmssp_ldap_style_send_seal >+++ /dev/null >@@ -1 +0,0 @@ >-^samba4.ldb.simple.ldap.*ldap_style_send_seal=no >-- >2.14.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 13427
:
14187
| 14202 |
14203