Bug 11870 - Security problem? ads_sasl_spnego_gensec_bind(KRB5) failed
Summary: Security problem? ads_sasl_spnego_gensec_bind(KRB5) failed
Status: RESOLVED DUPLICATE of bug 11849
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.4.2
Hardware: x86 Solaris
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 11849
Blocks:
  Show dependency treegraph
 
Reported: 2016-04-21 18:31 UTC by Tom Schulz
Modified: 2016-08-02 09:59 UTC (History)
3 users (show)

See Also:


Attachments
debug level 10 (446.92 KB, text/plain)
2016-04-21 18:31 UTC, Tom Schulz
no flags Details
snoop capture log (15.28 KB, application/octet-stream)
2016-04-21 18:37 UTC, Tom Schulz
no flags Details
Possible patch for v4-4 (1.26 KB, text/plain)
2016-04-23 03:20 UTC, Stefan Metzmacher
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Schulz 2016-04-21 18:31:18 UTC
Created attachment 12013 [details]
debug level 10

Testing Samba 4.4.2 as a file server running on Solaris 10 i386
with a Windows Server 2000 computer as the DC.

Upon startup the smb.log contains the following:

[2016/04/15 10:08:09.738117,  0] \
../source3/libads/sasl.c:764(ads_sasl_spnego_bind) kinit succeeded but \
ads_sasl_spnego_gensec_bind(KRB5) failed: Unexpected information received \
[2016/04/15 10:08:09.738732,  0] \
                ../source3/printing/nt_printing.c:187(nt_printing_init)
nt_printing_init: error checking published printers: WERR_ACCESS_DENIED

These messages do not show up with 4.4.0.
Comment 1 Tom Schulz 2016-04-21 18:37:58 UTC
Created attachment 12014 [details]
snoop capture log

snoop log

The ip address of the DC is 192.168.2.178
The ip address of the Samba machine is 192.168.2.150
Comment 2 Stefan Metzmacher 2016-04-23 03:20:32 UTC
Created attachment 12019 [details]
Possible patch for v4-4
Comment 3 Tom Schulz 2016-04-25 16:35:09 UTC
The patch fixes the problem for 4.4.2. I expect that the same problem exists in 4.3.8. I will go build that and see.
Comment 4 Tom Schulz 2016-04-25 18:10:01 UTC
As expected, 4.3.8 has the same bug and the patch fixes it. The patch applied with an offset of -3 lines, which I think was also the offset for 4.4.2. I am sure that 4.2.11 will also have the bug, but I am not going to check that one.

As an aside, we are running 4.3.6 in production and I am just trying 4.4.2 and 4.3.8 on a test system. I will probably soon switch to 4.3.8 and switch to 4.4.* later.
Comment 5 Jeremy Allison 2016-04-27 23:07:54 UTC
(In reply to Stefan Metzmacher from comment #2)

Metze, is this patch suitable for master ? Looks like the code applies here.
Comment 6 Stefan Metzmacher 2016-04-27 23:37:31 UTC
(In reply to Jeremy Allison from comment #5)

I'll propose the whole patchset hopefully tomorrow
the current work in progress can be found at
https://git.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/v4-4-ntlmssp

I just need to finish the regression tests.
Comment 7 Stefan Metzmacher 2016-04-28 03:31:03 UTC
Comment on attachment 12019 [details]
Possible patch for v4-4

Please test the patches from bug #11849, thanks!
Comment 8 Tom Schulz 2016-04-28 20:02:55 UTC
The patch from Bug 11849 also fixes this problem for both 4.4.2 and 4.3.8.
Comment 9 Björn Jacke 2016-05-03 15:19:57 UTC

*** This bug has been marked as a duplicate of bug 11849 ***