From 1b7ad025bd7ed995f9bf0aea53ed5708ee9ea019 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 28 Nov 2016 15:41:51 +0100 Subject: [PATCH 1/2] s3:libsmb: handle the spnego as a first action in cli_session_setup() This is the will make further restructuring easier. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 Signed-off-by: Stefan Metzmacher Backported-by: Andreas Schneider --- source3/libsmb/cliconnect.c | 62 ++++++++++++++++++++++--------------- 1 file changed, 37 insertions(+), 25 deletions(-) diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 8653ba7d085..9f3817a20cd 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1975,6 +1975,8 @@ NTSTATUS cli_session_setup(struct cli_state *cli, { char *p; char *user2; + bool use_spnego = false; + NTSTATUS status; if (user) { user2 = talloc_strdup(talloc_tos(), user); @@ -1998,6 +2000,33 @@ NTSTATUS cli_session_setup(struct cli_state *cli, workgroup = user2; } + + /* now work out what sort of session setup we are going to + do. I have split this into separate functions to make the + flow a bit easier to understand (tridge) */ + + if (cli->protocol < PROTOCOL_NT1) { + use_spnego = false; + } else if (cli->protocol >= PROTOCOL_SMB2) { + use_spnego = true; + } else if (cli->capabilities & CAP_EXTENDED_SECURITY) { + use_spnego = true; + } else { + use_spnego = false; + } + + /* if the server supports extended security then use SPNEGO */ + + if (use_spnego) { + ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, + workgroup, NULL); + if (!ADS_ERR_OK(status)) { + DEBUG(3, ("SPNEGO login failed: %s\n", ads_errstr(status))); + return ads_ntstatus(status); + } + goto out; + } + if (cli->protocol < PROTOCOL_LANMAN1) { /* * Ensure cli->server_domain, @@ -2015,10 +2044,6 @@ NTSTATUS cli_session_setup(struct cli_state *cli, return NT_STATUS_OK; } - /* now work out what sort of session setup we are going to - do. I have split this into separate functions to make the - flow a bit easier to understand (tridge) */ - /* if its an older server then we have to use the older request format */ if (cli->protocol < PROTOCOL_NT1) { @@ -2064,28 +2089,15 @@ NTSTATUS cli_session_setup(struct cli_state *cli, return cli_session_setup_plain(cli, user, pass, workgroup); } - /* if the server supports extended security then use SPNEGO */ - - if (cli->capabilities & CAP_EXTENDED_SECURITY) { - ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, - workgroup, NULL); - if (!ADS_ERR_OK(status)) { - DEBUG(3, ("SPNEGO login failed: %s\n", ads_errstr(status))); - return ads_ntstatus(status); - } - } else { - NTSTATUS status; - - /* otherwise do a NT1 style session setup */ - status = cli_session_setup_nt1(cli, user, pass, passlen, - ntpass, ntpasslen, workgroup); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(3,("cli_session_setup: NT1 session setup " - "failed: %s\n", nt_errstr(status))); - return status; - } + /* otherwise do a NT1 style session setup */ + status = cli_session_setup_nt1(cli, user, pass, passlen, + ntpass, ntpasslen, workgroup); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3,("cli_session_setup: NT1 session setup " + "failed: %s\n", nt_errstr(status))); + return status; } - +out: if (strstr(cli->server_type, "Samba")) { cli->is_samba = True; } -- 2.31.1 From 622bbe1868118d4ae3c8b058529f512fb2ea0d64 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 28 Nov 2016 15:47:13 +0100 Subject: [PATCH 2/2] CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 Signed-off-by: Stefan Metzmacher Backported-by: Andreas Schneider --- source3/libsmb/cliconnect.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 9f3817a20cd..0df9fc89ca6 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -2027,6 +2027,12 @@ NTSTATUS cli_session_setup(struct cli_state *cli, goto out; } + if (cli->use_kerberos && !cli->fallback_after_kerberos) { + DEBUG(1, ("Kerberos authentication requested, but " + "the server does not support SPNEGO authentication\n")); + return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT; + } + if (cli->protocol < PROTOCOL_LANMAN1) { /* * Ensure cli->server_domain, -- 2.31.1