From de9282eacc16227d64f7a3ee421fa6c9cf6cfefa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 24 Nov 2016 09:12:59 +0100
Subject: [PATCH 1/2] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non
 spnego authentication if we require kerberos

We should not send NTLM[v2] data on the wire if the user asked for kerberos
only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source4/libcli/smb_composite/sesssetup.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c
index 9f989f21f2c..f2dbcd59b0d 100644
--- a/source4/libcli/smb_composite/sesssetup.c
+++ b/source4/libcli/smb_composite/sesssetup.c
@@ -595,6 +595,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
 	struct composite_context *c;
 	struct sesssetup_state *state;
 	NTSTATUS status;
+	enum credentials_use_kerberos krb5_state =
+		cli_credentials_get_kerberos_state(io->in.credentials);
 
 	c = composite_create(session, session->transport->ev);
 	if (c == NULL) return NULL;
@@ -609,6 +611,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
 
 	/* no session setup at all in earliest protocol varients */
 	if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) {
+		if (krb5_state == CRED_MUST_USE_KERBEROS) {
+			composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+			return c;
+		}
 		ZERO_STRUCT(io->out);
 		composite_done(c);
 		return c;
@@ -616,9 +622,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se
 
 	/* see what session setup interface we will use */
 	if (session->transport->negotiate.protocol < PROTOCOL_NT1) {
+		if (krb5_state == CRED_MUST_USE_KERBEROS) {
+			composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+			return c;
+		}
 		status = session_setup_old(c, session, io, &state->req);
 	} else if (!session->transport->options.use_spnego ||
 		   !(io->in.capabilities & CAP_EXTENDED_SECURITY)) {
+		if (krb5_state == CRED_MUST_USE_KERBEROS) {
+			composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+			return c;
+		}
 		status = session_setup_nt1(c, session, io, &state->req);
 	} else {
 		status = session_setup_spnego(c, session, io, &state->req);
-- 
2.31.1


From 240f4a0ea03be484db6878355a537f494a98fb0b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 27 Oct 2016 10:40:28 +0200
Subject: [PATCH 2/2] CVE-2016-2124: s3:libsmb: don't fallback to non spnego
 authentication if we require kerberos

We should not send NTLM[v2] nor plaintext data on the wire if the user
asked for kerberos only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/libsmb/cliconnect.c | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 33759d9d87b..b472062b8bb 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -2050,7 +2050,15 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx,
 	}
 
 	if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) {
-		tevent_req_done(req);
+		if (cli->use_kerberos) {
+			DEBUG(1,("Kerberos authentication requested, but "
+				 "the server does not support SPNEGO "
+				 "authentication\n"));
+			tevent_req_nterror(req,
+					NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+		} else {
+			tevent_req_done(req);
+		}
 		return tevent_req_post(req, ev);
 	}
 
@@ -2076,6 +2084,15 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx,
 			return tevent_req_post(req, ev);
 		}
 
+		if (cli->use_kerberos) {
+			DEBUG(1,("Kerberos authentication requested, but "
+				 "the server does not support SPNEGO "
+				 "authentication\n"));
+			tevent_req_nterror(req,
+					NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+			return tevent_req_post(req, ev);
+		}
+
 		subreq = cli_session_setup_lanman2_send(
 			state, ev, cli, user, pass, passlen, workgroup);
 		if (tevent_req_nomem(subreq, req)) {
@@ -2112,6 +2129,13 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx,
 		return req;
 	}
 
+	if (cli->use_kerberos) {
+		DEBUG(1,("Kerberos authentication requested, but "
+			 "the server does not support SPNEGO "
+			 "authentication\n"));
+		tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+		return tevent_req_post(req, ev);
+	}
 	/* if no user is supplied then we have to do an anonymous connection.
 	   passwords are ignored */
 
-- 
2.31.1