The Samba-Bugzilla – Attachment 16981 Details for
Bug 12444
[SECURITY] CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos in Samba client
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
backport for 3.6
3.6.CVE-2016-2124.patch (text/plain), 4.54 KB, created by
Noel Power
on 2021-11-09 16:22:50 UTC
(
hide
)
Description:
backport for 3.6
Filename:
MIME Type:
Creator:
Noel Power
Created:
2021-11-09 16:22:50 UTC
Size:
4.54 KB
patch
obsolete
>From 1b7ad025bd7ed995f9bf0aea53ed5708ee9ea019 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 28 Nov 2016 15:41:51 +0100 >Subject: [PATCH 1/2] s3:libsmb: handle the spnego as a first action in > cli_session_setup() > >This is the will make further restructuring easier. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Backported-by: Andreas Schneider <asn@samba.org> >--- > source3/libsmb/cliconnect.c | 62 ++++++++++++++++++++++--------------- > 1 file changed, 37 insertions(+), 25 deletions(-) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index 8653ba7d085..9f3817a20cd 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -1975,6 +1975,8 @@ NTSTATUS cli_session_setup(struct cli_state *cli, > { > char *p; > char *user2; >+ bool use_spnego = false; >+ NTSTATUS status; > > if (user) { > user2 = talloc_strdup(talloc_tos(), user); >@@ -1998,6 +2000,33 @@ NTSTATUS cli_session_setup(struct cli_state *cli, > workgroup = user2; > } > >+ >+ /* now work out what sort of session setup we are going to >+ do. I have split this into separate functions to make the >+ flow a bit easier to understand (tridge) */ >+ >+ if (cli->protocol < PROTOCOL_NT1) { >+ use_spnego = false; >+ } else if (cli->protocol >= PROTOCOL_SMB2) { >+ use_spnego = true; >+ } else if (cli->capabilities & CAP_EXTENDED_SECURITY) { >+ use_spnego = true; >+ } else { >+ use_spnego = false; >+ } >+ >+ /* if the server supports extended security then use SPNEGO */ >+ >+ if (use_spnego) { >+ ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, >+ workgroup, NULL); >+ if (!ADS_ERR_OK(status)) { >+ DEBUG(3, ("SPNEGO login failed: %s\n", ads_errstr(status))); >+ return ads_ntstatus(status); >+ } >+ goto out; >+ } >+ > if (cli->protocol < PROTOCOL_LANMAN1) { > /* > * Ensure cli->server_domain, >@@ -2015,10 +2044,6 @@ NTSTATUS cli_session_setup(struct cli_state *cli, > return NT_STATUS_OK; > } > >- /* now work out what sort of session setup we are going to >- do. I have split this into separate functions to make the >- flow a bit easier to understand (tridge) */ >- > /* if its an older server then we have to use the older request format */ > > if (cli->protocol < PROTOCOL_NT1) { >@@ -2064,28 +2089,15 @@ NTSTATUS cli_session_setup(struct cli_state *cli, > return cli_session_setup_plain(cli, user, pass, workgroup); > } > >- /* if the server supports extended security then use SPNEGO */ >- >- if (cli->capabilities & CAP_EXTENDED_SECURITY) { >- ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, >- workgroup, NULL); >- if (!ADS_ERR_OK(status)) { >- DEBUG(3, ("SPNEGO login failed: %s\n", ads_errstr(status))); >- return ads_ntstatus(status); >- } >- } else { >- NTSTATUS status; >- >- /* otherwise do a NT1 style session setup */ >- status = cli_session_setup_nt1(cli, user, pass, passlen, >- ntpass, ntpasslen, workgroup); >- if (!NT_STATUS_IS_OK(status)) { >- DEBUG(3,("cli_session_setup: NT1 session setup " >- "failed: %s\n", nt_errstr(status))); >- return status; >- } >+ /* otherwise do a NT1 style session setup */ >+ status = cli_session_setup_nt1(cli, user, pass, passlen, >+ ntpass, ntpasslen, workgroup); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(3,("cli_session_setup: NT1 session setup " >+ "failed: %s\n", nt_errstr(status))); >+ return status; > } >- >+out: > if (strstr(cli->server_type, "Samba")) { > cli->is_samba = True; > } >-- >2.31.1 > > >From 622bbe1868118d4ae3c8b058529f512fb2ea0d64 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 28 Nov 2016 15:47:13 +0100 >Subject: [PATCH 2/2] CVE-2016-2124: s3:libsmb: don't fallback to non spnego > authentication if we require kerberos > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Backported-by: Andreas Schneider <asn@samba.org> >--- > source3/libsmb/cliconnect.c | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index 9f3817a20cd..0df9fc89ca6 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -2027,6 +2027,12 @@ NTSTATUS cli_session_setup(struct cli_state *cli, > goto out; > } > >+ if (cli->use_kerberos && !cli->fallback_after_kerberos) { >+ DEBUG(1, ("Kerberos authentication requested, but " >+ "the server does not support SPNEGO authentication\n")); >+ return NT_STATUS_NETWORK_CREDENTIAL_CONFLICT; >+ } >+ > if (cli->protocol < PROTOCOL_LANMAN1) { > /* > * Ensure cli->server_domain, >-- >2.31.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16981">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 12444
:
16890
|
16891
|
16892
|
16893
|
16898
|
16902
|
16935
|
16937
|
16938
|
16939
|
16972
|
16976
| 16981