Bug 12456 - Using winbindd ccache (-C) with smbclient/libsmbclient breaks anonymous login
Using winbindd ccache (-C) with smbclient/libsmbclient breaks anonymous login
Status: ASSIGNED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: libsmbclient
4.5.1
All All
: P5 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-29 23:25 UTC by crisb
Modified: 2016-12-04 09:00 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description crisb 2016-11-29 23:25:09 UTC
Since security fixes went in for CVE-2016-2115, libsmbclient has a different behaviour when logging on to an unsecured windows share using a username and a blank password.

Before it was accepted, now it returns NT_STATUS_ACCESS_DENIED.

this same behaviour can be seen using smbclient, without ccache it is successful:

[crispin@yossarian bin]$ smbclient -Uadmin% //192.168.0.9/Downloads
OS=[Windows 7 Home Premium 7601 Service Pack 1] Server=[Windows 7 Home Premium 6.1]
smb: \> ^C

with -C, it fails:

[crispin@yossarian bin]$ smbclient -Uadmin% -C //192.168.0.9/Downloads
SPNEGO(ntlmssp) login failed: NT_STATUS_WRONG_CREDENTIAL_HANDLE
Anonymous login successful
Domain=[CRIS-PC] OS=[Windows 7 Home Premium 7601 Service Pack 1] Server=[Windows 7 Home Premium 6.1]
tree connect failed: NT_STATUS_ACCESS_DENIED


we set the use of Ccache by default for libsmbclient in libsmb_context.c, in fact there is a bug here because its impossible to turn off without modifying code, which doesnt seem to be the intention:

175         smbc_setOptionUseCCache(context, True);
176         smbc_setOptionCaseSensitive(context, False);
177         smbc_setOptionBrowseMaxLmbCount(context, 3);    /* # LMBs to query */
178         smbc_setOptionUrlEncodeReaddirEntries(context, False);
179         smbc_setOptionOneSharePerServer(context, False);
180         if (getenv("LIBSMBCLIENT_NO_CCACHE") == NULL) {
181                 smbc_setOptionUseCCache(context, true);
182         }


line 175 hard codes to true, then line 181 sets again if the environment variable is not populated.  seems like 175 should be removed.

in any case of course setting 

smbc_setOptionUseCCache(context, false);

makes logging in with a username and no password to an unsecured share work again on libsmbclient.

passing admin and no password is how kde's dolphin manager logs on anonymously which has been broken since the security fixes CVE-2016-2115.
Comment 1 Jeremy Allison 2016-11-30 00:11:49 UTC
Does logging in anonymously work with a blank user and no password ? The equivalent of:

smbclient -U% //192.168.0.9/Downloads

Using "admin" to mean anonymous user would seem to be a questionable programming choice..
Comment 2 crisb 2016-11-30 00:17:26 UTC
no, blank user and password fails:

[crispin@yossarian bin]$ smbclient -U% //192.168.0.9/Downloads
Domain=[CRIS-PC] OS=[Windows 7 Home Premium 7601 Service Pack 1] Server=[Windows 7 Home Premium 6.1]
tree connect failed: NT_STATUS_ACCESS_DENIED


sorry my bad - it's not using admin, but 'anonymous'.
Comment 3 Jeremy Allison 2016-11-30 01:01:13 UTC
(In reply to crisb from comment #0)
> 175         smbc_setOptionUseCCache(context, True);
> 176         smbc_setOptionCaseSensitive(context, False);
> 177         smbc_setOptionBrowseMaxLmbCount(context, 3);    /* # LMBs to query */
> 178         smbc_setOptionUrlEncodeReaddirEntries(context, False);
> 179         smbc_setOptionOneSharePerServer(context, False);
> 180         if (getenv("LIBSMBCLIENT_NO_CCACHE") == NULL) {
> 181                 smbc_setOptionUseCCache(context, true);
> 182         }
>
> line 175 hard codes to true, then line 181 sets again if the environment 
> variable is not populated.  seems like 175 should be removed.

Actually the correct fix is to change 'true' -> 'false' in line 182. Setting the environment variable LIBSMBCLIENT_NO_CCACHE is requesting to turn it off.
Comment 4 crisb 2016-11-30 05:38:39 UTC
no because its saying if that environment variable to not use CCACHE is *not* set (==NULL) then set the 'use ccache' flag on the context.
Comment 5 Jeremy Allison 2016-11-30 21:00:26 UTC
(In reply to crisb from comment #2)

OK, I need some more info. You're saying that smbclient -U% fails because the server isn't allowing access as guest, but doing smbclient -Uanonymous% works. Does user 'anonymous' exist on the Windows server ?
Comment 6 crisb 2016-11-30 22:09:21 UTC
no there is no anonymous user on the server.  Any non blank username works.
Comment 7 Jeremy Allison 2016-12-01 00:36:06 UTC
What are the security settings on the share ? Does this come back with the "guest" bit set (can you get me a wireshark trace please).
Comment 8 crisb 2016-12-04 09:00:25 UTC
in Control Panel->Network And Sharing Center->Advanced Sharing Settings i've checked 'Turn off password protected sharing'.

will attempt to get a wireshark trace.