Bug 13427 - broken server side GENSEC_FEATURE_LDAP_STYLE handling (NTLMSSP NTLM2 packet check failed due to invalid signature!)
broken server side GENSEC_FEATURE_LDAP_STYLE handling (NTLMSSP NTLM2 packet c...
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.8.0
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-05-09 10:40 UTC by Stefan Metzmacher
Modified: 2018-06-05 12:00 UTC (History)
2 users (show)

See Also:


Attachments
Possible patches for master (6.67 KB, patch)
2018-05-09 12:11 UTC, Stefan Metzmacher
no flags Details
patch for 4.8 cherry-picked from master (7.71 KB, patch)
2018-05-16 10:15 UTC, Andrew Bartlett
metze: review+
Details
Patches for v4-7-test (7.66 KB, patch)
2018-05-16 14:06 UTC, Stefan Metzmacher
metze: review? (abartlet)
bbaumbach: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2018-05-09 10:40:12 UTC
The combination of commits
77adac8c3cd2f7419894d18db735782c9646a202
(auth/ntlmssp: always allow NTLMSSP_NEGOTIATE_{SIGN,SEAL} in gensec_ntlmssp_server_start())
and 3a0b835408a6efa339e8b34333906bfe3aacd6e3
(s4:ldap_server: don't use gensec_want_feature(gensec_security, GENSEC_FEATURE_{SIGN,SEAL}) as server) introduced a regression.

As result the GENSEC_FEATURE_LDAP_STYLE feature
(were NTLMSSP_NEGOTIATE_SIGN implicitly means NTLMSSP_NEGOTIATE_SEAL)
doesn't work anymore as server.
Comment 1 Stefan Metzmacher 2018-05-09 12:11:47 UTC
Created attachment 14187 [details]
Possible patches for master
Comment 2 Andrew Bartlett 2018-05-16 10:15:48 UTC
Created attachment 14202 [details]
patch for 4.8 cherry-picked from master
Comment 3 Stefan Metzmacher 2018-05-16 14:06:41 UTC
Created attachment 14203 [details]
Patches for v4-7-test
Comment 4 Karolin Seeger 2018-06-04 06:55:28 UTC
Pushed to autobuild-v4-[7,8]-test.
Comment 5 Karolin Seeger 2018-06-05 12:00:10 UTC
Pushed to both branches.
Closing out bug report.

Thanks!