The Samba-Bugzilla – Attachment 15537 Details for
Bug 14106
Fix spnego fallback from kerberos to ntlmssp in smbd server
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for v4-9-test branch
spnego_v4-9-test.patch (text/plain), 6.11 KB, created by
Isaac Boukris
on 2019-10-14 15:57:30 UTC
(
hide
)
Description:
Patch for v4-9-test branch
Filename:
MIME Type:
Creator:
Isaac Boukris
Created:
2019-10-14 15:57:30 UTC
Size:
6.11 KB
patch
obsolete
>From 55d19011faa99fae6ddcd778e433a0b253e0c7b4 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Wed, 4 Sep 2019 16:31:21 +0300 >Subject: [PATCH 1/3] spnego: add client option to omit sending an optimistic > token > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 > >Signed-off-by: Isaac Boukris <iboukris@redhat.com> >Reviewed-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >--- > auth/gensec/spnego.c | 11 +++++++++++ > 1 file changed, 11 insertions(+) > >diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c >index 0b3fbdce7ac..6bb5c8b6417 100644 >--- a/auth/gensec/spnego.c >+++ b/auth/gensec/spnego.c >@@ -136,6 +136,7 @@ struct spnego_state { > bool done_mic_check; > > bool simulate_w2k; >+ bool no_optimistic; > > /* > * The following is used to implement >@@ -187,6 +188,10 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi > > spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, > "spnego", "simulate_w2k", false); >+ spnego_state->no_optimistic = gensec_setting_bool(gensec_security->settings, >+ "spnego", >+ "client_no_optimistic", >+ false); > > gensec_security->private_data = spnego_state; > return NT_STATUS_OK; >@@ -1923,6 +1928,12 @@ static void gensec_spnego_update_pre(struct tevent_req *req) > * blob and NT_STATUS_OK. > */ > state->sub.status = NT_STATUS_OK; >+ } else if (spnego_state->state_position == SPNEGO_CLIENT_START && >+ spnego_state->no_optimistic) { >+ /* >+ * Skip optimistic token per conf. >+ */ >+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; > } else { > /* > * MORE_PROCESSING_REQUIRED => >-- >2.21.0 > > >From e03ce41c911d5fead3f11c2eedce6baf7164e232 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Wed, 4 Sep 2019 16:39:43 +0300 >Subject: [PATCH 2/3] selftest: add tests for no optimistic spnego exchange > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 > >Signed-off-by: Isaac Boukris <iboukris@redhat.com> >Reviewed-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >--- > selftest/knownfail.d/spnego_no_optimistic | 1 + > source4/selftest/tests.py | 4 ++++ > 2 files changed, 5 insertions(+) > create mode 100644 selftest/knownfail.d/spnego_no_optimistic > >diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic >new file mode 100644 >index 00000000000..54f51446be0 >--- /dev/null >+++ b/selftest/knownfail.d/spnego_no_optimistic >@@ -0,0 +1 @@ >+^samba4.smb.spnego.*.no_optimistic >diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >index aa54308c524..9c3c77f1c56 100755 >--- a/source4/selftest/tests.py >+++ b/source4/selftest/tests.py >@@ -513,6 +513,10 @@ plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_sha > plansmbtorture4testsuite('base.xcopy', "ad_dc_ntvfs", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=required', '-U%'], modname="samba4.smb.signing --signing=required anon") > plansmbtorture4testsuite('base.xcopy', "s4member", ['//$NETBIOSNAME/xcopy_share', '-k', 'no', '--signing=no', '-U%'], modname="samba4.smb.signing --signing=no anon") > >+# Test SPNEGO without issuing an optimistic token >+opt='--option=spnego:client_no_optimistic=yes' >+plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'no'], modname="samba4.smb.spnego.ntlmssp.no_optimistic") >+plansmbtorture4testsuite('base.xcopy', "ad_dc", ['//$NETBIOSNAME/xcopy_share', '-U$USERNAME%$PASSWORD', opt, '-k', 'yes'], modname="samba4.smb.spnego.krb5.no_optimistic") > > wb_opts_default = ["--option=\"torture:strict mode=no\"", "--option=\"torture:timelimit=1\"", "--option=\"torture:winbindd_separator=/\"", "--option=\"torture:winbindd_netbios_name=$SERVER\"", "--option=\"torture:winbindd_netbios_domain=$DOMAIN\""] > >-- >2.21.0 > > >From 7e1be4ab8ff1ab8869b79f42828489dfa5450f2b Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Wed, 4 Sep 2019 17:04:12 +0300 >Subject: [PATCH 3/3] spnego: fix server handling of no optimistic exchange > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14106 > >Signed-off-by: Isaac Boukris <iboukris@redhat.com> >Reviewed-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> >Autobuild-Date(master): Sat Oct 12 15:51:42 UTC 2019 on sn-devel-184 >--- > auth/gensec/spnego.c | 13 +++++++++++++ > selftest/knownfail.d/spnego_no_optimistic | 1 - > 2 files changed, 13 insertions(+), 1 deletion(-) > delete mode 100644 selftest/knownfail.d/spnego_no_optimistic > >diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c >index 6bb5c8b6417..5f78267281d 100644 >--- a/auth/gensec/spnego.c >+++ b/auth/gensec/spnego.c >@@ -1300,6 +1300,10 @@ static NTSTATUS gensec_spnego_server_negTokenInit_step( > spnego_state->mic_requested = true; > } > >+ if (sub_in.length == 0) { >+ spnego_state->no_optimistic = true; >+ } >+ > /* > * Note that 'cur_sec' is temporary memory, but > * cur_sec->oid points to a const string in the >@@ -1934,6 +1938,15 @@ static void gensec_spnego_update_pre(struct tevent_req *req) > * Skip optimistic token per conf. > */ > state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; >+ } else if (spnego_state->state_position == SPNEGO_SERVER_START && >+ state->sub.in.length == 0 && spnego_state->no_optimistic) { >+ /* >+ * If we didn't like the mechanism for which the client sent us >+ * an optimistic token, or if he didn't send any, don't call >+ * the sub mechanism just yet. >+ */ >+ state->sub.status = NT_STATUS_MORE_PROCESSING_REQUIRED; >+ spnego_state->no_optimistic = false; > } else { > /* > * MORE_PROCESSING_REQUIRED => >diff --git a/selftest/knownfail.d/spnego_no_optimistic b/selftest/knownfail.d/spnego_no_optimistic >deleted file mode 100644 >index 54f51446be0..00000000000 >--- a/selftest/knownfail.d/spnego_no_optimistic >+++ /dev/null >@@ -1 +0,0 @@ >-^samba4.smb.spnego.*.no_optimistic >-- >2.21.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15537">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14106
:
15446
|
15447
|
15448
|
15515
|
15535
|
15536
| 15537