The Samba-Bugzilla – Bug 11849
CVE-2016-2110/NTLMSSP regression meta bug
Last modified: 2016-09-06 13:29:55 UTC
There seem to be a few regressions regarding the NTLMSSP hardening
has some work in progress patches
Created attachment 12034 [details]
Possible patches for master
Created attachment 12035 [details]
Possible patches for v4-4-test
Created attachment 12036 [details]
Possible patches for v4-3-test
Created attachment 12037 [details]
Possible patches for v4-2-test
The problem reported in Bug 11870 is fixed by these patches.
The output of gpatch included the following while patching both 4.4.2 and 4.3.8:
patching file source3/libads/sasl.c
Hunk #1 succeeded at 319 (offset -9 lines).
Hunk #2 succeeded at 977 (offset -9 lines).
Created attachment 12043 [details]
Patches for v4-4-test
Created attachment 12044 [details]
Patches for v4-3-test
Created attachment 12045 [details]
Patches for v4-2-test
Comment on attachment 12045 [details]
Patches for v4-2-test
*** Bug 11870 has been marked as a duplicate of this bug. ***
Will these patches be back ported to Samba 3 releases? I believe I am seeing similar issues with the 'net' command and our internal NetApps (all OnTap versions).
(In reply to Alexander Sack from comment #12)
No, Samba 3.6.x is out of Samba Team support, sorry. If you need this you'll have to contract with a vendor to request this.
I'm not sure, but I think that the version of the patch that is currently already checked in broke something.
I'm used to do discovery of local devices like that:
smbclient -N -L localhost
Then look for the master of the workgroup (let's say BIGMASTER) and do:
smbclient -N -L BIGMASTER
Then I have the list of devices on the local network.
This broke for me between samba 4.2.11 and 4.2.12.
Now, everything looks fine without new error, but nothing is shown in "Server" or "Workgroup" output lists.
For what it worth, in my case, the "master" as the following specs (and is probably not up to date):
Domain=[WORKGROUP] OS=[Windows Server 2003 3790 Service Pack 2] Server=[Windows Server 2003 5.2]
but I had report of the same issue at some other places where it was working before.
After regression testing the different changes, I finally found that it is the following change that broke it for me (reverting would fix):
(The second part, the changes of the 2 blocks starting around line 2095 et 2143)
I did try to debug the issue but without success.
What I noticed was that before, the connexion was setup with: "cli_session_setup_guest_send"
and later the list_server was returning the correct "list of servers".
Now, because of the change, everything goes through "cli_session_setup_spnego_send". First the parent code try to do this with my computer credentials, but logically it fails, then, it tries again with "" "" for login and password, for "anonymous" connection and then it looks like to go to the complete end of the connection code and succeed.
So I can even see the following log: "Anonymous login successful".
Everything goes well, but when the list_server is issued, the request goes well and no error is encountered but the "list of servers" (and workgroups) is empty.
(additional note, it looks like that in cli_session_setup_spnego_send, the code use the "ntlmssp" auth code path)
One final point is that it looks like that everything works well for listing servers when using "smbtree".
(In reply to Florent V from comment #14)
Can you upload captures of the following 3 combinations
all against the exact same server:
- The broken one, where we use cli_session_setup_spnego_send()
- The working one, where we use cli_session_setup_guest_send()
- The unmodified code with smbtree.
Please run each command with -d10 and 2>&1 | tee output
to get the level 10 output. At the same time
to a capture on port 139 and 445, see
Fixed with 4.4.3, 4.3.9, 4.2.12.
(In reply to Stefan Metzmacher from comment #15)
Thank you for your reply.
I will try to provide that to you as soon as possible in the coming days.
(In reply to Florent V from comment #17)
Lets track that as https://bugzilla.samba.org/show_bug.cgi?id=12061
Please notice the patches on