The Samba-Bugzilla – Attachment 16939 Details for
Bug 12444
[SECURITY] CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos in Samba client
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
backport for 3.6
CVE-2016-2124-3.6.patch (text/plain), 2.89 KB, created by
Noel Power
on 2021-11-03 16:47:33 UTC
(
hide
)
Description:
backport for 3.6
Filename:
MIME Type:
Creator:
Noel Power
Created:
2021-11-03 16:47:33 UTC
Size:
2.89 KB
patch
obsolete
>From 4b3a8e4514305e5d58a3b24ac4a0cc7aa1812ff1 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 27 Oct 2016 10:40:28 +0200 >Subject: [PATCH] CVE-2016-2124: s3:libsmb: don't fallback to non spnego > authentication if we require kerberos > >We should not send NTLM[v2] nor plaintext data on the wire if the user >asked for kerberos only. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/libsmb/cliconnect.c | 31 ++++++++++++++++++++++++++++--- > 1 file changed, 28 insertions(+), 3 deletions(-) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index 8653ba7d085..7e6e3b8a19a 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -2012,6 +2012,12 @@ NTSTATUS cli_session_setup(struct cli_state *cli, > cli->server_type == NULL) { > return NT_STATUS_NO_MEMORY; > } >+ if (cli->use_kerberos) { >+ DEBUG(1,("Kerberos authentication requested, but " >+ "the server does not support SPNEGO " >+ "authentication\n")); >+ return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT; >+ } > return NT_STATUS_OK; > } > >@@ -2035,6 +2041,12 @@ NTSTATUS cli_session_setup(struct cli_state *cli, > return NT_STATUS_ACCESS_DENIED; > } > >+ if (cli->use_kerberos) { >+ DEBUG(1,("Kerberos authentication requested, but " >+ "the server does not support SPNEGO " >+ "authentication\n")); >+ return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT; >+ } > return cli_session_setup_lanman2(cli, user, pass, passlen, > workgroup); > } >@@ -2042,16 +2054,23 @@ NTSTATUS cli_session_setup(struct cli_state *cli, > /* if no user is supplied then we have to do an anonymous connection. > passwords are ignored */ > >- if (!user || !*user) >+ if (!user || !*user) { > return cli_session_setup_guest(cli); >+ } > > /* if the server is share level then send a plaintext null > password at this point. The password is sent in the tree > connect */ > >- if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) >+ if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) { >+ if (cli->use_kerberos) { >+ DEBUG(1,("Kerberos authentication requested, but " >+ "the server does not support SPNEGO " >+ "authentication\n")); >+ return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT; >+ } > return cli_session_setup_plain(cli, user, "", workgroup); >- >+ } > /* if the server doesn't support encryption then we have to use > plaintext. The second password is ignored */ > >@@ -2061,6 +2080,12 @@ NTSTATUS cli_session_setup(struct cli_state *cli, > " or 'client ntlmv2 auth = yes'\n")); > return NT_STATUS_ACCESS_DENIED; > } >+ if (cli->use_kerberos) { >+ DEBUG(1,("Kerberos authentication requested, but " >+ "the server does not support SPNEGO " >+ "authentication\n")); >+ return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT; >+ } > return cli_session_setup_plain(cli, user, pass, workgroup); > } > >-- >2.31.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 12444
:
16890
|
16891
|
16892
|
16893
|
16898
|
16902
|
16935
|
16937
|
16938
|
16939
|
16972
|
16976
|
16981