Attachment 6442 Details for Bug 7893 – patch for 3.5

[patch] patch for 3.5

samba-3.5.8-machineprincipal.patch (text/plain), 6.87 KB, created by Guenther Deschner on 2011-05-11 10:03:55 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Guenther Deschner

Created: 2011-05-11 10:03:55 UTC

Size: 6.87 KB

patch

obsolete

>From cefe4460d112cb0f5d0c3ff75926096e16e34dc6 Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Sat, 4 Dec 2010 13:48:37 +1100
>Subject: [PATCH 1/2] s3-libads Default to NOT using the server-supplied
> principal from SPNEGO
>
>This principal is not supplied by later versions of windows, and using
>it opens up some oportunities for man in the middle attacks.  (Becuase
>it isn't the name being contacted that is verified with the KDC).
>
>This adds the option 'client use spnego principal' to the smb.conf (as
>used in Samba4) to control this behaivour.  As in Samba4, this
>defaults to false.
>
>Against 2008 servers, this will not change behaviour.  Against earlier
>servers, it may cause a downgrade to NTLMSSP more often, in
>environments where server names are not registered with the KDC as
>servicePrincipalName values.
>
>Andrew Bartlett
>(cherry picked from commit bb7806283e71f3b8029aae0eed326b5847a36d83)
>---
> source3/include/proto.h     |    1 +
> source3/libads/sasl.c       |    8 +++++---
> source3/libsmb/cliconnect.c |    5 ++---
> source3/param/loadparm.c    |   11 +++++++++++
> 4 files changed, 19 insertions(+), 6 deletions(-)
>
>diff --git a/source3/include/proto.h b/source3/include/proto.h
>index 6ff0882..e15a020 100644
>--- a/source3/include/proto.h
>+++ b/source3/include/proto.h
>@@ -4080,6 +4080,7 @@ bool lp_use_mmap(void);
> bool lp_unix_extensions(void);
> bool lp_use_spnego(void);
> bool lp_client_use_spnego(void);
>+bool lp_client_use_spnego_principal(void);
> bool lp_hostname_lookups(void);
> bool lp_change_notify(const struct share_params *p );
> bool lp_kernel_change_notify(const struct share_params *p );
>diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
>index 421faed..749e8a4 100644
>--- a/source3/libads/sasl.c
>+++ b/source3/libads/sasl.c
>@@ -649,10 +649,12 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
> 	   the principal name back in the first round of
> 	   the SASL bind reply.  So we guess based on server
> 	   name and realm.  --jerry  */
>-	/* Also try best guess when we get the w2k8 ignore
>-	   principal back - gd */
>+	/* Also try best guess when we get the w2k8 ignore principal
>+	   back, or when we are configured to ignore it - gd,
>+	   abartlet */
> 
>-	if (!given_principal ||
>+	if (!lp_client_use_spnego_principal() ||
>+	    !given_principal ||
> 	    strequal(given_principal, ADS_IGNORE_PRINCIPAL)) {
> 
> 		status = ads_guess_service_principal(ads, &p->string);
>diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
>index 9d0b1e3..6827b7b 100644
>--- a/source3/libsmb/cliconnect.c
>+++ b/source3/libsmb/cliconnect.c
>@@ -1056,10 +1056,9 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
> 			}
> 		}
> 
>-		/* If we get a bad principal, try to guess it if
>-		   we have a valid host NetBIOS name.
>+		/* We may not be allowed to use the server-supplied SPNEGO principal, or it may not have been supplied to us
> 		 */
>-		if (strequal(principal, ADS_IGNORE_PRINCIPAL)) {
>+		if (!lp_client_use_spnego_principal() || strequal(principal, ADS_IGNORE_PRINCIPAL)) {
> 			TALLOC_FREE(principal);
> 		}
> 
>diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
>index 76e2303..1ad067b3 100644
>--- a/source3/param/loadparm.c
>+++ b/source3/param/loadparm.c
>@@ -325,6 +325,7 @@ struct global {
> 	bool bClientNTLMv2Auth;
> 	bool bClientPlaintextAuth;
> 	bool bClientUseSpnego;
>+	bool client_use_spnego_principal;
> 	bool bDebugPrefixTimestamp;
> 	bool bDebugHiresTimestamp;
> 	bool bDebugPid;
>@@ -1395,6 +1396,15 @@ static struct parm_struct parm_table[] = {
> 		.flags		= FLAG_ADVANCED,
> 	},
> 	{
>+		.label		= "client use spnego principal",
>+		.type		= P_BOOL,
>+		.p_class	= P_GLOBAL,
>+		.ptr		= &Globals.client_use_spnego_principal,
>+		.special	= NULL,
>+		.enum_list	= NULL,
>+		.flags		= FLAG_ADVANCED,
>+	},
>+	{
> 		.label		= "username",
> 		.type		= P_STRING,
> 		.p_class	= P_LOCAL,
>@@ -5537,6 +5547,7 @@ FN_GLOBAL_BOOL(lp_use_mmap, &Globals.bUseMmap)
> FN_GLOBAL_BOOL(lp_unix_extensions, &Globals.bUnixExtensions)
> FN_GLOBAL_BOOL(lp_use_spnego, &Globals.bUseSpnego)
> FN_GLOBAL_BOOL(lp_client_use_spnego, &Globals.bClientUseSpnego)
>+FN_GLOBAL_BOOL(lp_client_use_spnego_principal, &Globals.client_use_spnego_principal)
> FN_GLOBAL_BOOL(lp_hostname_lookups, &Globals.bHostnameLookups)
> FN_LOCAL_PARM_BOOL(lp_change_notify, bChangeNotify)
> FN_LOCAL_PARM_BOOL(lp_kernel_change_notify, bKernelChangeNotify)
>-- 
>1.7.4.4
>
>
>From 936d27a5e335e2c97da6608066a0b7b2afcfbcc0 Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Fri, 10 Dec 2010 07:57:59 +1100
>Subject: [PATCH 2/2] s3-libsmb Don't ever ask for machine$ principals as a
> target.
>
>It is never correct to ask for a machine$ principal as the target of a
>kerberos connection.  You should always connect via the
>servicePrincipalName.
>
>This current code appears to have built up from a series of minimal
>changes, as the codebase adapted the to lack of a SPNEGO principal
>from Windows 2008.
>
>Andrew Bartlett
>---
> source3/libsmb/cliconnect.c |   35 ++++++-----------------------------
> 1 files changed, 6 insertions(+), 29 deletions(-)
>
>diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
>index 6827b7b..6316db1 100644
>--- a/source3/libsmb/cliconnect.c
>+++ b/source3/libsmb/cliconnect.c
>@@ -1067,23 +1067,11 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
> 			!strequal(STAR_SMBSERVER,
> 				cli->desthost)) {
> 			char *realm = NULL;
>-			char *machine = NULL;
> 			char *host = NULL;
>-			DEBUG(3,("cli_session_setup_spnego: got a "
>-				"bad server principal, trying to guess ...\n"));
>+			DEBUG(3,("cli_session_setup_spnego: using target "
>+				 "hostname not SPNEGO principal\n"));
> 
> 			host = strchr_m(cli->desthost, '.');
>-			if (host) {
>-				/* We had a '.' in the name. */
>-				machine = SMB_STRNDUP(cli->desthost,
>-					host - cli->desthost);
>-			} else {
>-				machine = SMB_STRDUP(cli->desthost);
>-			}
>-			if (machine == NULL) {
>-				return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
>-			}
>-
> 			if (dest_realm) {
> 				realm = SMB_STRDUP(dest_realm);
> 				strupper_m(realm);
>@@ -1098,21 +1086,11 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
> 			}
> 
> 			if (realm && *realm) {
>-				if (host) {
>-					/* DNS name. */
>-					principal = talloc_asprintf(talloc_tos(),
>-							"cifs/%s@%s",
>-							cli->desthost,
>-							realm);
>-				} else {
>-					/* NetBIOS name, use machine account. */
>-					principal = talloc_asprintf(talloc_tos(),
>-							"%s$@%s",
>-							machine,
>-							realm);
>-				}
>+				principal = talloc_asprintf(talloc_tos(),
>+							    "cifs/%s@%s",
>+							    cli->desthost,
>+							    realm);
> 				if (!principal) {
>-					SAFE_FREE(machine);
> 					SAFE_FREE(realm);
> 					return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
> 				}
>@@ -1120,7 +1098,6 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
> 					"server principal=%s\n",
> 					principal ? principal : "<null>"));
> 			}
>-			SAFE_FREE(machine);
> 			SAFE_FREE(realm);
> 		}
> 
>-- 
>1.7.4.4
>

Flags:

metze: review+

Actions: View

Attachments on bug 7893: 6442