Created attachment 12001 [details] Only validate MIC if "map to guest" isn't being used With the addition of CVE-2016-2110 (commit c0fc6a6d7) extra values (MIC) are validated by samba 4.3.8: https://git.samba.org/?p=samba.git;a=blob;f=auth/ntlmssp/ntlmssp_server.c;hb=refs/heads/master#l902 On Mac OS X 10.11.4 (older releases not tested) this breaks 'guest ok' access to shares since memcmp() returns non-zero. However, based off the commit message: ... This is still disabled if the "map to guest" feature is used. ... https://git.samba.org/?p=samba.git;a=commit;h=c0fc6a6d7f7a9d709f35c1a7e4812c0a89285977 It appears the MIC check is performed no matter the setting of 'map to guest': https://git.samba.org/?p=samba.git;a=blob;f=auth/ntlmssp/ntlmssp_server.c;hb=refs/heads/master#l873 If the code follows the commit message shouldn't this be checking !ntlmssp_state->force_old_spnego to see if 'map to guest' is a non-Never value? Running a patched samba 4.3.8 running on FreeBSD 10.3-RELEASE with Mac OS X 10.11.3 accessing a guest ok share works as expected. Accessing unpatched 4.3.8 using smbutil(1) from Mac OS X with guest only access: $ smbutil view -g //host/ smbutil: server connection failed: Invalid argument log.smbd: ... [2016/04/17 18:28:54.402217, 5, pid=85059, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_server.c:851(ntlmssp_server_postauth) server session key is invalid (len == 0), cannot do KEY_EXCH! [2016/04/17 18:28:54.402267, 1, pid=85059, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_server.c:910(ntlmssp_server_postauth) ntlmssp_server_postauth: invalid NTLMSSP_MIC for user=[GUEST] domain=[] workstation=[MBP] [2016/04/17 18:28:54.402288, 1, pid=85059, effective(0, 0), real(0, 0)] ../lib/util/util.c:559(dump_data) [0000] E2 4B 85 2B 31 0B 55 45 B8 A3 CC 3C 29 AB 60 47 .K.+1.UE ...<).`G [2016/04/17 18:28:54.402327, 1, pid=85059, effective(0, 0), real(0, 0)] ../lib/util/util.c:559(dump_data) [0000] 5D A8 7B 1E CF 24 19 CD 42 74 ED 12 30 05 28 F9 ].{..$.. Bt..0.(. [2016/04/17 18:28:54.402365, 2, pid=85059, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:708(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_INVALID_PARAMETER [2016/04/17 18:28:54.402391, 4, pid=85059, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:217(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 ... With 4.3.8 patched: $ smbutil view -g //host/ Share Type Comments ------------------------------- backup Disk Windows 10 accessing the same guest ok share works with and without the patch. It's possible that Mac OS X smb implementation is broken and needs updated to support NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE?
(In reply to Derek Schrock from comment #0) Can you please provide some network captures? See https://wiki.samba.org/index.php/Capture_Packets 1. the failing case 2. with the patch applied 3. configure a public share on windows10 see https://bugzilla.samba.org/show_bug.cgi?id=11841#c3 and run the mac client against that, providing an invalid password Thanks!
Created attachment 12005 [details] tcpdump capture OS X to unpatch 4.3.8 dump.failing tcpdump of Mac OS X 10.11.4 smb://host/public via Finder's "Connect to Server" connecting to samba 4.3.8 running on FreeBSD 10.3-RELEASE. This is the failing state of samba giving an invalid parameter.
Created attachment 12006 [details] tcpdump capture OS X to patched 4.3.8 dump.patched tcpdump of Mac OS X 10.11.4 smb://host/public via Finder's "Connect to Server" connecting to patched samba 4.3.8 running on FreeBSD 10.3-RELEASE. guest ok share connects as expected.
Created attachment 12007 [details] tcpdump capture OS X to Windows 10 public share dump.windows10 tcpdump of Mac OS X 10.11.4 smb://host/public via Finder's "Connect to Server" connecting to Windows 10 public share.
I was able to recreate/confirm the problem with Samba version 4.3.8-Ubuntu and OS X 10.11.3
Please test the patches from bug #11849, thanks!
Patching net/samba43 on FreeBSD 10.3-RELEASE with the the v4-3-test patch from bug #11849 allowed Mac OS X 10.11.4 to access a 'guest ok' share without getting an invalid parameter. Windows 10 accessing the same guest share continued to work as well.
Fixed with 4.4.3, 4.3.9, 4.2.12.