From ddeb6488cf5c4f3a7ac5dbe3cc3099052e89a138 Mon Sep 17 00:00:00 2001 From: David Disseldorp Date: Tue, 12 Feb 2013 11:58:06 +0100 Subject: [PATCH] smbd: fix initial large PAC sess setup response An oversize Kerberos security token may be split across multiple Session Setup AndX requests when authenticating as a user who is a member of many (~2000) groups. In such a case the NativeOS, NativeLanMan & PrimaryDomain fields must be sent with the NT_STATUS_MORE_PROCESSING_REQUIRED response. Otherwise Windows clients may resend the same security token data in subsequent session setup andX requests, as observed with Windows 7 and Server 2012. This change fixes the SMB1 server only. --- source3/smbd/sesssetup.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 4f09db9..75c2a15 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -905,6 +905,13 @@ static NTSTATUS check_spnego_blob_complete(struct smbd_server_connection *sconn, (unsigned int)copy_len, (unsigned int)pblob->length )); + if (pblob->length > pad->needed_len) { + DEBUG(2, ("subsequent security token data length %u " + "exceeds expected length %u\n", + (unsigned int)pblob->length, + (unsigned int)pad->needed_len)); + } + tmp_blob = data_blob(NULL, pad->partial_data.length + copy_len); @@ -1165,13 +1172,18 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) status = check_spnego_blob_complete(sconn, smbpid, vuid, &blob1); if (!NT_STATUS_IS_OK(status)) { + /* + * Pack error response, ensuring to fill NativeOS, NativeLanMan + * & PrimaryDomain fields on NT_STATUS_MORE_PROCESSING_REQUIRED + */ + reply_outbuf(req, 4, 0); + reply_sesssetup_blob(req, data_blob_null, status); if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { /* Real error - kill the intermediate vuid */ invalidate_vuid(sconn, vuid); } data_blob_free(&blob1); - reply_nterror(req, nt_status_squash(status)); return; } -- 1.7.10.4