From 4b3a8e4514305e5d58a3b24ac4a0cc7aa1812ff1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 27 Oct 2016 10:40:28 +0200 Subject: [PATCH] CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos We should not send NTLM[v2] nor plaintext data on the wire if the user asked for kerberos only. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 Signed-off-by: Stefan Metzmacher --- source3/libsmb/cliconnect.c | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 8653ba7d085..7e6e3b8a19a 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -2012,6 +2012,12 @@ NTSTATUS cli_session_setup(struct cli_state *cli, cli->server_type == NULL) { return NT_STATUS_NO_MEMORY; } + if (cli->use_kerberos) { + DEBUG(1,("Kerberos authentication requested, but " + "the server does not support SPNEGO " + "authentication\n")); + return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT; + } return NT_STATUS_OK; } @@ -2035,6 +2041,12 @@ NTSTATUS cli_session_setup(struct cli_state *cli, return NT_STATUS_ACCESS_DENIED; } + if (cli->use_kerberos) { + DEBUG(1,("Kerberos authentication requested, but " + "the server does not support SPNEGO " + "authentication\n")); + return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT; + } return cli_session_setup_lanman2(cli, user, pass, passlen, workgroup); } @@ -2042,16 +2054,23 @@ NTSTATUS cli_session_setup(struct cli_state *cli, /* if no user is supplied then we have to do an anonymous connection. passwords are ignored */ - if (!user || !*user) + if (!user || !*user) { return cli_session_setup_guest(cli); + } /* if the server is share level then send a plaintext null password at this point. The password is sent in the tree connect */ - if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) + if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) { + if (cli->use_kerberos) { + DEBUG(1,("Kerberos authentication requested, but " + "the server does not support SPNEGO " + "authentication\n")); + return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT; + } return cli_session_setup_plain(cli, user, "", workgroup); - + } /* if the server doesn't support encryption then we have to use plaintext. The second password is ignored */ @@ -2061,6 +2080,12 @@ NTSTATUS cli_session_setup(struct cli_state *cli, " or 'client ntlmv2 auth = yes'\n")); return NT_STATUS_ACCESS_DENIED; } + if (cli->use_kerberos) { + DEBUG(1,("Kerberos authentication requested, but " + "the server does not support SPNEGO " + "authentication\n")); + return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT; + } return cli_session_setup_plain(cli, user, pass, workgroup); } -- 2.31.1