The Samba-Bugzilla – Attachment 6442 Details for
Bug 7893
CIFS tickets vs. <host>$ tickets
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 3.5
samba-3.5.8-machineprincipal.patch (text/plain), 6.87 KB, created by
Guenther Deschner
on 2011-05-11 10:03:55 UTC
(
hide
)
Description:
patch for 3.5
Filename:
MIME Type:
Creator:
Guenther Deschner
Created:
2011-05-11 10:03:55 UTC
Size:
6.87 KB
patch
obsolete
>From cefe4460d112cb0f5d0c3ff75926096e16e34dc6 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Sat, 4 Dec 2010 13:48:37 +1100 >Subject: [PATCH 1/2] s3-libads Default to NOT using the server-supplied > principal from SPNEGO > >This principal is not supplied by later versions of windows, and using >it opens up some oportunities for man in the middle attacks. (Becuase >it isn't the name being contacted that is verified with the KDC). > >This adds the option 'client use spnego principal' to the smb.conf (as >used in Samba4) to control this behaivour. As in Samba4, this >defaults to false. > >Against 2008 servers, this will not change behaviour. Against earlier >servers, it may cause a downgrade to NTLMSSP more often, in >environments where server names are not registered with the KDC as >servicePrincipalName values. > >Andrew Bartlett >(cherry picked from commit bb7806283e71f3b8029aae0eed326b5847a36d83) >--- > source3/include/proto.h | 1 + > source3/libads/sasl.c | 8 +++++--- > source3/libsmb/cliconnect.c | 5 ++--- > source3/param/loadparm.c | 11 +++++++++++ > 4 files changed, 19 insertions(+), 6 deletions(-) > >diff --git a/source3/include/proto.h b/source3/include/proto.h >index 6ff0882..e15a020 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -4080,6 +4080,7 @@ bool lp_use_mmap(void); > bool lp_unix_extensions(void); > bool lp_use_spnego(void); > bool lp_client_use_spnego(void); >+bool lp_client_use_spnego_principal(void); > bool lp_hostname_lookups(void); > bool lp_change_notify(const struct share_params *p ); > bool lp_kernel_change_notify(const struct share_params *p ); >diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c >index 421faed..749e8a4 100644 >--- a/source3/libads/sasl.c >+++ b/source3/libads/sasl.c >@@ -649,10 +649,12 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads, > the principal name back in the first round of > the SASL bind reply. So we guess based on server > name and realm. --jerry */ >- /* Also try best guess when we get the w2k8 ignore >- principal back - gd */ >+ /* Also try best guess when we get the w2k8 ignore principal >+ back, or when we are configured to ignore it - gd, >+ abartlet */ > >- if (!given_principal || >+ if (!lp_client_use_spnego_principal() || >+ !given_principal || > strequal(given_principal, ADS_IGNORE_PRINCIPAL)) { > > status = ads_guess_service_principal(ads, &p->string); >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index 9d0b1e3..6827b7b 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -1056,10 +1056,9 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, > } > } > >- /* If we get a bad principal, try to guess it if >- we have a valid host NetBIOS name. >+ /* We may not be allowed to use the server-supplied SPNEGO principal, or it may not have been supplied to us > */ >- if (strequal(principal, ADS_IGNORE_PRINCIPAL)) { >+ if (!lp_client_use_spnego_principal() || strequal(principal, ADS_IGNORE_PRINCIPAL)) { > TALLOC_FREE(principal); > } > >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index 76e2303..1ad067b3 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -325,6 +325,7 @@ struct global { > bool bClientNTLMv2Auth; > bool bClientPlaintextAuth; > bool bClientUseSpnego; >+ bool client_use_spnego_principal; > bool bDebugPrefixTimestamp; > bool bDebugHiresTimestamp; > bool bDebugPid; >@@ -1395,6 +1396,15 @@ static struct parm_struct parm_table[] = { > .flags = FLAG_ADVANCED, > }, > { >+ .label = "client use spnego principal", >+ .type = P_BOOL, >+ .p_class = P_GLOBAL, >+ .ptr = &Globals.client_use_spnego_principal, >+ .special = NULL, >+ .enum_list = NULL, >+ .flags = FLAG_ADVANCED, >+ }, >+ { > .label = "username", > .type = P_STRING, > .p_class = P_LOCAL, >@@ -5537,6 +5547,7 @@ FN_GLOBAL_BOOL(lp_use_mmap, &Globals.bUseMmap) > FN_GLOBAL_BOOL(lp_unix_extensions, &Globals.bUnixExtensions) > FN_GLOBAL_BOOL(lp_use_spnego, &Globals.bUseSpnego) > FN_GLOBAL_BOOL(lp_client_use_spnego, &Globals.bClientUseSpnego) >+FN_GLOBAL_BOOL(lp_client_use_spnego_principal, &Globals.client_use_spnego_principal) > FN_GLOBAL_BOOL(lp_hostname_lookups, &Globals.bHostnameLookups) > FN_LOCAL_PARM_BOOL(lp_change_notify, bChangeNotify) > FN_LOCAL_PARM_BOOL(lp_kernel_change_notify, bKernelChangeNotify) >-- >1.7.4.4 > > >From 936d27a5e335e2c97da6608066a0b7b2afcfbcc0 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Fri, 10 Dec 2010 07:57:59 +1100 >Subject: [PATCH 2/2] s3-libsmb Don't ever ask for machine$ principals as a > target. > >It is never correct to ask for a machine$ principal as the target of a >kerberos connection. You should always connect via the >servicePrincipalName. > >This current code appears to have built up from a series of minimal >changes, as the codebase adapted the to lack of a SPNEGO principal >from Windows 2008. > >Andrew Bartlett >--- > source3/libsmb/cliconnect.c | 35 ++++++----------------------------- > 1 files changed, 6 insertions(+), 29 deletions(-) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index 6827b7b..6316db1 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -1067,23 +1067,11 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, > !strequal(STAR_SMBSERVER, > cli->desthost)) { > char *realm = NULL; >- char *machine = NULL; > char *host = NULL; >- DEBUG(3,("cli_session_setup_spnego: got a " >- "bad server principal, trying to guess ...\n")); >+ DEBUG(3,("cli_session_setup_spnego: using target " >+ "hostname not SPNEGO principal\n")); > > host = strchr_m(cli->desthost, '.'); >- if (host) { >- /* We had a '.' in the name. */ >- machine = SMB_STRNDUP(cli->desthost, >- host - cli->desthost); >- } else { >- machine = SMB_STRDUP(cli->desthost); >- } >- if (machine == NULL) { >- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); >- } >- > if (dest_realm) { > realm = SMB_STRDUP(dest_realm); > strupper_m(realm); >@@ -1098,21 +1086,11 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, > } > > if (realm && *realm) { >- if (host) { >- /* DNS name. */ >- principal = talloc_asprintf(talloc_tos(), >- "cifs/%s@%s", >- cli->desthost, >- realm); >- } else { >- /* NetBIOS name, use machine account. */ >- principal = talloc_asprintf(talloc_tos(), >- "%s$@%s", >- machine, >- realm); >- } >+ principal = talloc_asprintf(talloc_tos(), >+ "cifs/%s@%s", >+ cli->desthost, >+ realm); > if (!principal) { >- SAFE_FREE(machine); > SAFE_FREE(realm); > return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); > } >@@ -1120,7 +1098,6 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, > "server principal=%s\n", > principal ? principal : "<null>")); > } >- SAFE_FREE(machine); > SAFE_FREE(realm); > } > >-- >1.7.4.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 7893
: 6442