The Samba-Bugzilla – Attachment 3285 Details for
Bug 5454
cli_session_setup_spnego() has krb/ntlm failures contacting a trusted domain
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
spnego-SPN-fix-when-contacting-trusted-domains.patch
0002-spnego-SPN-fix-when-contacting-trusted-domains.patch (text/plain), 6.81 KB, created by
Steven Danneman
on 2008-05-09 13:38:39 UTC
(
hide
)
Description:
spnego-SPN-fix-when-contacting-trusted-domains.patch
Filename:
MIME Type:
Creator:
Steven Danneman
Created:
2008-05-09 13:38:39 UTC
Size:
6.81 KB
patch
obsolete
>From 9f847c06b0ff6658c0045aece47f5ece69ee7758 Mon Sep 17 00:00:00 2001 >From: Steven Danneman <sdanneman@isilon.com> >Date: Wed, 7 May 2008 13:34:26 -0700 >Subject: [PATCH] spnego SPN fix when contacting trusted domains > >cli_session_setup_spnego() was not taking into consideration the situation >where we're connecting to a trusted domain, specifically one (like W2K8) >which doesn't return a SPN in the NegTokenInit. > >This caused two problems: > >1) When guessing the SPN using kerberos_get_default_realm_from_ccache() we >were always using our default realm, not the realm of the domain we're >connecting to. > >2) When falling back on NTLMSSP for authentication we were passing the name >of the domain we're connecting to for use in our credentials when we should be >passing our own workgroup name. > >The fix for both was to split the single "domain" parameter into >"user_domain" and "dest_realm" parameters. We use the "user_domain" >parameter to pass into the NTLM call, and we used "dest_realm" to create an SPN >if none was returned in the NegTokenInit2 packet. If no "dest_realm" is >provided we assume we're connecting to our own domain and use the credentials >cache to build the SPN. > >Since we have a reasonable guess at the SPN, I removed the check that defaults >us directly to NTLM when negHint is empty. >--- > source/libsmb/cliconnect.c | 42 +++++++++++++++++++++------------------- > source/nsswitch/winbindd_cm.c | 12 ++++++---- > 2 files changed, 29 insertions(+), 25 deletions(-) > >diff --git a/source/libsmb/cliconnect.c b/source/libsmb/cliconnect.c >index ce9e7fa..dfc0dfc 100644 >--- a/source/libsmb/cliconnect.c >+++ b/source/libsmb/cliconnect.c >@@ -787,12 +787,16 @@ static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *use > > /**************************************************************************** > Do a spnego encrypted session setup. >+ >+ user_domain: The shortname of the domain the user/machine is a member of. >+ dest_realm: The realm we're connecting to, if NULL we use our default realm. > ****************************************************************************/ > > ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, >- const char *pass, const char *domain) >+ const char *pass, const char *user_domain, >+ const char * dest_realm) > { >- char *principal; >+ char *principal = NULL; > char *OIDs[ASN1_MAX_OIDS]; > int i; > BOOL got_kerberos_mechanism = False; >@@ -813,8 +817,10 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, > /* there is 16 bytes of GUID before the real spnego packet starts */ > blob = data_blob(cli->secblob.data+16, cli->secblob.length-16); > >- /* the server sent us the first part of the SPNEGO exchange in the negprot >- reply */ >+ /* The server sent us the first part of the SPNEGO exchange in the >+ * negprot reply. It is WRONG to depend on the principal sent in the >+ * negprot reply, but right now we do it. If we don't receive one, >+ * we try to best guess, then fall back to NTLM. */ > if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) { > data_blob_free(&blob); > return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); >@@ -833,18 +839,6 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, > > DEBUG(3,("got principal=%s\n", principal ? principal : "<null>")); > >- if (got_kerberos_mechanism && (principal == NULL)) { >- /* >- * It is WRONG to depend on the principal sent in the negprot >- * reply, but right now we do it. So for safety (don't >- * segfault later) disable Kerberos when no principal was >- * sent. -- VL >- */ >- DEBUG(1, ("Kerberos mech was offered, but no principal was " >- "sent, disabling Kerberos\n")); >- cli->use_kerberos = False; >- } >- > fstrcpy(cli->user_name, user); > > #ifdef HAVE_KRB5 >@@ -896,7 +890,12 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, > return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); > } > >- realm = kerberos_get_default_realm_from_ccache(); >+ if (dest_realm) { >+ realm = SMB_STRDUP(dest_realm); >+ strupper_m(realm); >+ } else { >+ realm = kerberos_get_default_realm_from_ccache(); >+ } > if (realm && *realm) { > if (asprintf(&principal, "%s$@%s", > machine, realm) < 0) { >@@ -913,7 +912,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, > } > > if (principal) { >- rc = cli_session_setup_kerberos(cli, principal, domain); >+ rc = cli_session_setup_kerberos(cli, principal, >+ dest_realm); > if (ADS_ERR_OK(rc) || !cli->fallback_after_kerberos) { > SAFE_FREE(principal); > return rc; >@@ -926,7 +926,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, > > ntlmssp: > >- return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain)); >+ return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, >+ user_domain)); > } > > /**************************************************************************** >@@ -1009,7 +1010,8 @@ NTSTATUS cli_session_setup(struct cli_state *cli, > /* if the server supports extended security then use SPNEGO */ > > if (cli->capabilities & CAP_EXTENDED_SECURITY) { >- ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, workgroup); >+ ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, >+ workgroup, NULL); > if (!ADS_ERR_OK(status)) { > DEBUG(3, ("SPNEGO login failed: %s\n", ads_errstr(status))); > return ads_ntstatus(status); >diff --git a/source/nsswitch/winbindd_cm.c b/source/nsswitch/winbindd_cm.c >index 6582554..ad0a1ee 100644 >--- a/source/nsswitch/winbindd_cm.c >+++ b/source/nsswitch/winbindd_cm.c >@@ -729,13 +729,14 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain, > > (*cli)->use_kerberos = True; > DEBUG(5, ("connecting to %s from %s with kerberos principal " >- "[%s]\n", controller, global_myname(), >- machine_krb5_principal)); >+ "[%s] and realm [%s]\n", controller, global_myname(), >+ machine_krb5_principal, domain->alt_name)); > > ads_status = cli_session_setup_spnego(*cli, > machine_krb5_principal, > machine_password, >- domain->name); >+ lp_workgroup(), >+ domain->alt_name); > > if (!ADS_ERR_OK(ads_status)) { > DEBUG(4,("failed kerberos session setup with %s\n", >@@ -755,12 +756,13 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain, > > DEBUG(5, ("connecting to %s from %s with username " > "[%s]\\[%s]\n", controller, global_myname(), >- domain->name, machine_account)); >+ lp_workgroup(), machine_account)); > > ads_status = cli_session_setup_spnego(*cli, > machine_account, > machine_password, >- domain->name); >+ lp_workgroup(), >+ NULL); > if (!ADS_ERR_OK(ads_status)) { > DEBUG(4, ("authenticated session setup failed with %s\n", > ads_errstr(ads_status))); >-- >1.5.2.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3285">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 5454
: 3285