[SCM] Samba Shared Repository - branch v3-6-test updated
Andrew Bartlett
abartlet at samba.org
Mon Dec 13 22:57:15 MST 2010
The branch, v3-6-test has been updated
via 56b67fd s3-libsmb Improve error message when denying LM encryption
via 98edb35 s3-dns Don't use DELEG_FLAG in DNS update, Windows 2008R2 does not like it (cherry picked from commit 280caa6b3bb1199939f9349ea5a436a491c81791)
via be08832 s3-dns Don't use SEQUENCE_FLAG in DNS update, Windows 2008R2 does not like it
via 10c5a59 s3-net Allow 'net ads dns register' to take an optional hostname argument
via c4346f5 s3-winbind Improve memory handling in NTLMv2-backend plaintext authentication
via cd37c4c s3-winbind Don't send the LM password to the server, ever
via ce2651d s3-libsmb Don't ever ask for machine$ principals as a target.
via 9c3b5d4 s3-docs Add docs for 'client use spnego principal' and 'send spengo principal'
via 8e48271 s3-docs Explain change to NTLMv2 by default in the client (cherry picked from commit d69b4f13f7edda8d8457315936051cc9d3fb103f)
via 620e41c s3-client Use NTLMv2 by default in the Samba client
via 807c42f s3-smbd Don't send SPNEGO principal (rfc4178 hint) by default
via 27ac2e2 s3-libads Default to NOT using the server-supplied principal from SPNEGO
via ff413c5 s4-spnego Match Windows 2008, and no longer supply a name in the CIFS Negprot
via 54fb657 s4-tests Workaround new default of 'client ntlmv2 auth = yes' in tests
via a93dc43 s4-client Use NTLMv2 by default in the Samba4 client. (cherry picked from commit 54ee213fa5da6b138ab367b537c5e084edf35ff2)
via ad5dec4 s4-spnego use "not_defined_in_RFC4178 at please_ignore" if no principal specified
via 1d44686 libcli/auth bring ADS_IGNORE_PRINCIPAL in common (cherry picked from commit a21cb5a0a11c63f7746a483dca845c12dcfdf1b2)
from 274fc73 Ensure we use vfs_fsp_stat(), not VFS_STAT directly, and store into fsp->fsp_name->st instead of a SMB_STRUCT_STAT on the stack.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit 56b67fd48a3bf3dba20a07af32505c30208887c4
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 13 12:40:25 2010 +1100
s3-libsmb Improve error message when denying LM encryption
Now that 'client ntlmv2 auth = yes' is the default, make it more clear
what options a user may need to enable to get this to work.
Andrew Bartlett
(cherry picked from commit d97492e42a65540febae93dd0255b91d034f9def)
commit 98edb35d73bd1b9be05e0d53ed81f79137e3f4ad
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 10 15:32:08 2010 +1100
s3-dns Don't use DELEG_FLAG in DNS update, Windows 2008R2 does not like it
(cherry picked from commit 280caa6b3bb1199939f9349ea5a436a491c81791)
commit be088324479bd852a7561ba2eaa5c0489398b061
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 10 15:30:22 2010 +1100
s3-dns Don't use SEQUENCE_FLAG in DNS update, Windows 2008R2 does not like it
Andrew Bartlett
(cherry picked from commit 0f1cc889a26477e9a98629f120fe5890b2e106fa)
commit 10c5a59315ef69eeb4d8bc19237de9787284a63d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 10 15:08:53 2010 +1100
s3-net Allow 'net ads dns register' to take an optional hostname argument
This allows the administrator to more carefully chose what name to register.
Andrew Bartlett
(cherry picked from commit c2a1ad9047508cf2745a9019e6783c8b8f7ef475)
commit c4346f50b706c3fbe0f909ce2371fdca0f1f7230
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 10 12:12:23 2010 +1100
s3-winbind Improve memory handling in NTLMv2-backend plaintext authentication
Andrew Bartlett
(cherry picked from commit 6195dfc0eb310a2362cb949a000979514a52c648)
commit cd37c4c42f0896b2cfe9588b4491c542991c0dc9
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 10 12:10:07 2010 +1100
s3-winbind Don't send the LM password to the server, ever
This is for the case where we have the plaintext password locally, and
can construct the challenge-response values here.
We should never ever use the LM password in domain authentication.
The last domain controller to only have LM passwords stored was NT
3.5.
Andrew Bartlett
(cherry picked from commit 5cfe949108f253a8e20c835cb53fe6f5eae7fbb5)
commit ce2651ddfc9de0d4fcfd169cdb4437194707b4a6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Dec 10 07:57:59 2010 +1100
s3-libsmb Don't ever ask for machine$ principals as a target.
It is never correct to ask for a machine$ principal as the target of a
kerberos connection. You should always connect via the
servicePrincipalName.
This current code appears to have built up from a series of minimal
changes, as the codebase adapted the to lack of a SPNEGO principal
from Windows 2008.
Andrew Bartlett
(cherry picked from commit f13404e27b00f826a11684e69cff82ae0023fc91)
commit 9c3b5d4d286e5850091d843551a936b88f677c58
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 9 17:37:14 2010 +1100
s3-docs Add docs for 'client use spnego principal' and 'send spengo principal'
Andrew Bartlett
(cherry picked from commit 45d784e929b37edddea4c472d288a46b37aa7415)
commit 8e4827163b68d048b61154bc938b4150f0415542
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 9 16:47:08 2010 +1100
s3-docs Explain change to NTLMv2 by default in the client
(cherry picked from commit d69b4f13f7edda8d8457315936051cc9d3fb103f)
commit 620e41c69a939d822e1a6908a2946b53ccaf918c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Dec 4 14:57:46 2010 +1100
s3-client Use NTLMv2 by default in the Samba client
This matches the improved security measures of Windows Vista.
Andrew Bartlett
(cherry picked from commit 635fbf2b5498df5698e240728add95f8ff8cda0f)
commit 807c42ff71ec20c8ccb535c42f9d92a6bbdb4a8e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Dec 4 14:11:57 2010 +1100
s3-smbd Don't send SPNEGO principal (rfc4178 hint) by default
This patch, based on the suggestion by Goldberg, Neil R. <ngoldber at mitre.org>
turns off the sending of the principal in the negprot by default, matching
Windows 2008 behaviour.
This slowly works us back from this hack, which from an RFC
perspective was never the right thing to do in the first place, but we
traditionally follow windows behaviour. It also discourages client
implmentations from relying on it, as if they do they are more open to
man-in-the-middle attacks.
Andrew Bartlett
(cherry picked from commit b3c2df5e0d0ba1c17c3248bf9d238de3c54613ef)
commit 27ac2e277dde057e9af40f3c4500ae068f601b79
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Dec 4 13:48:37 2010 +1100
s3-libads Default to NOT using the server-supplied principal from SPNEGO
This principal is not supplied by later versions of windows, and using
it opens up some oportunities for man in the middle attacks. (Becuase
it isn't the name being contacted that is verified with the KDC).
This adds the option 'client use spnego principal' to the smb.conf (as
used in Samba4) to control this behaivour. As in Samba4, this
defaults to false.
Against 2008 servers, this will not change behaviour. Against earlier
servers, it may cause a downgrade to NTLMSSP more often, in
environments where server names are not registered with the KDC as
servicePrincipalName values.
Andrew Bartlett
(cherry picked from commit bb7806283e71f3b8029aae0eed326b5847a36d83)
commit ff413c5269bc4c97d5e0dfe9f213ff6ccb36411d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Dec 9 17:51:36 2010 +1100
s4-spnego Match Windows 2008, and no longer supply a name in the CIFS Negprot
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Thu Dec 9 08:50:28 CET 2010 on sn-devel-104
(cherry picked from commit 154b431093db68b30c429316eb660f776958a56f)
commit 54fb657d61e4015054f44b7f9859ea850cddba8e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Dec 4 17:02:49 2010 +1100
s4-tests Workaround new default of 'client ntlmv2 auth = yes' in tests
The new default breaks some tests that were assuming LM or NTLM auth
Andrew Bartlett
(cherry picked from commit 22d67758efd20e62d6050fd10c8b922db75747c9)
commit a93dc43407c73a984f3d8ab47d80ccd3584e4514
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Dec 4 14:59:29 2010 +1100
s4-client Use NTLMv2 by default in the Samba4 client.
(cherry picked from commit 54ee213fa5da6b138ab367b537c5e084edf35ff2)
commit ad5dec43b638e85a67fe8c7e096b333f5f3d5d1a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Dec 8 18:52:33 2010 +1100
s4-spnego use "not_defined_in_RFC4178 at please_ignore" if no principal specified
We need to make this the default, but for now just send it if we have
not been given a target principal.
Andrew Bartlett
(cherry picked from commit 94f4929e04ce4357e3c74b6a14a4b8fccde30fda)
commit 1d4468617d0a7929166c32d6cbe57684cd66880b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Dec 4 15:23:44 2010 +1100
libcli/auth bring ADS_IGNORE_PRINCIPAL in common
(cherry picked from commit a21cb5a0a11c63f7746a483dca845c12dcfdf1b2)
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/security/clientntlmv2auth.xml | 13 ++--
.../security/clientusepsnegoprincipal.xml | 28 +++++++++
.../smbdotconf/security/sendspengoprincipal.xml | 28 +++++++++
libcli/auth/spnego.h | 2 +
source3/include/proto.h | 2 +
source3/include/smb_krb5.h | 2 -
source3/libaddns/dnsgss.c | 4 +-
source3/libads/sasl.c | 8 ++-
source3/libsmb/cliconnect.c | 59 ++++++--------------
source3/param/loadparm.c | 26 ++++++++-
source3/smbd/negprot.c | 3 +
source3/utils/net_ads.c | 16 +++--
source3/winbindd/winbindd_pam.c | 35 ++---------
source4/auth/gensec/spnego.c | 12 +---
source4/client/tests/test_smbclient.sh | 4 +-
source4/param/loadparm.c | 1 +
source4/torture/rpc/netlogon.c | 2 +-
17 files changed, 142 insertions(+), 103 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
create mode 100644 docs-xml/smbdotconf/security/sendspengoprincipal.xml
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/security/clientntlmv2auth.xml b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
index 9f0627a..b151df2 100644
--- a/docs-xml/smbdotconf/security/clientntlmv2auth.xml
+++ b/docs-xml/smbdotconf/security/clientntlmv2auth.xml
@@ -10,9 +10,9 @@
response.</para>
<para>If enabled, only an NTLMv2 and LMv2 response (both much more
- secure than earlier versions) will be sent. Many servers
+ secure than earlier versions) will be sent. Older servers
(including NT4 < SP4, Win9x and Samba 2.2) are not compatible with
- NTLMv2. </para>
+ NTLMv2 when not in an NTLMv2 supporting domain</para>
<para>Similarly, if enabled, NTLMv1, <command
moreinfo="none">client lanman auth</command> and <command
@@ -24,9 +24,10 @@
will be sent by the client, depending on the value of <command
moreinfo="none">client lanman auth</command>. </para>
- <para>Note that some sites (particularly
- those following 'best practice' security polices) only allow NTLMv2
- responses, and not the weaker LM or NTLM.</para>
+ <para>Note that Windows Vista and later versions already use
+ NTLMv2 by default, and some sites (particularly those following
+ 'best practice' security polices) only allow NTLMv2 responses, and
+ not the weaker LM or NTLM.</para>
</description>
-<value type="default">no</value>
+<value type="default">yes</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
new file mode 100644
index 0000000..6ec1eb1
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientusepsnegoprincipal.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="client use spnego principal"
+ context="G"
+ type="boolean"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter determines whether or not
+ <citerefentry><refentrytitle>smbclient</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> and other samba components
+ acting as a client will attempt to use the server-supplied
+ principal sometimes given in the SPNEGO exchange.</para>
+
+ <para>If enabled, Samba can attempt to use Kerberos to contact
+ servers known only by IP address. Kerberos relies on names, so
+ ordinarily cannot function in this situation. </para>
+
+ <para>If disabled, Samba will use the name used to look up the
+ server when asking the KDC for a ticket. This avoids situations
+ where a server may impersonate another, soliciting authentication
+ as one principal while being known on the network as another.
+ </para>
+
+ <para>Note that Windows XP SP2 and later versions already follow
+ this behaviour, and Windows Vista and later servers no longer
+ supply this 'rfc4178 hint' principal on the server side.</para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/sendspengoprincipal.xml b/docs-xml/smbdotconf/security/sendspengoprincipal.xml
new file mode 100644
index 0000000..03794de
--- /dev/null
+++ b/docs-xml/smbdotconf/security/sendspengoprincipal.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="send spnego principal"
+ context="G"
+ type="boolean"
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This parameter determines whether or not
+ <citerefentry><refentrytitle>smbd</refentrytitle>
+ <manvolnum>8</manvolnum></citerefentry> will send the
+ server-supplied principal sometimes given in the SPNEGO
+ exchange.</para>
+
+ <para>If enabled, Samba can attempt to help clients to use
+ Kerberos to contact it, even when known only by IP address or a
+ name not registered with our KDC as a service principal name.
+ Kerberos relies on names, so ordinarily cannot function in this
+ situation. </para>
+
+ <para>If disabled, Samba will send the string
+ not_defined_in_RFC4178 at please_ignore as the 'rfc4178 hint',
+ following the updated RFC and Windows 2008 behaviour in this area.
+ </para>
+
+ <para>Note that Windows XP SP2 and later versions already ignored
+ this value in all circumstances. </para>
+</description>
+<value type="default">no</value>
+</samba:parameter>
diff --git a/libcli/auth/spnego.h b/libcli/auth/spnego.h
index 6aed765..9a93f2e 100644
--- a/libcli/auth/spnego.h
+++ b/libcli/auth/spnego.h
@@ -25,6 +25,8 @@
#define OID_KERBEROS5_OLD "1.2.840.48018.1.2.2"
#define OID_KERBEROS5 "1.2.840.113554.1.2.2"
+#define ADS_IGNORE_PRINCIPAL "not_defined_in_RFC4178 at please_ignore"
+
#define SPNEGO_DELEG_FLAG 0x01
#define SPNEGO_MUTUAL_FLAG 0x02
#define SPNEGO_REPLAY_FLAG 0x04
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 402dc3f..084d97f 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -3306,6 +3306,8 @@ bool lp_use_mmap(void);
bool lp_unix_extensions(void);
bool lp_use_spnego(void);
bool lp_client_use_spnego(void);
+bool lp_client_use_spnego_principal(void);
+bool lp_send_spnego_principal(void);
bool lp_hostname_lookups(void);
bool lp_change_notify(const struct share_params *p );
bool lp_kernel_change_notify(const struct share_params *p );
diff --git a/source3/include/smb_krb5.h b/source3/include/smb_krb5.h
index 0a6ba79..64c5136 100644
--- a/source3/include/smb_krb5.h
+++ b/source3/include/smb_krb5.h
@@ -4,8 +4,6 @@
#define KRB5_PRIVATE 1 /* this file uses PRIVATE interfaces! */
/* this file uses DEPRECATED interfaces! */
-#define ADS_IGNORE_PRINCIPAL "not_defined_in_RFC4178 at please_ignore"
-
#if defined(HAVE_KRB5_DEPRECATED_WITH_IDENTIFIER)
#define KRB5_DEPRECATED 1
#else
diff --git a/source3/libaddns/dnsgss.c b/source3/libaddns/dnsgss.c
index 1e3d464..c903741 100644
--- a/source3/libaddns/dnsgss.c
+++ b/source3/libaddns/dnsgss.c
@@ -101,8 +101,8 @@ static DNS_ERROR dns_negotiate_gss_ctx_int( TALLOC_CTX *mem_ctx,
major = gss_init_sec_context(
&minor, NULL, ctx, target_name, &krb5_oid_desc,
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
- GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG,
+ GSS_C_CONF_FLAG |
+ GSS_C_INTEG_FLAG,
0, NULL, input_ptr, NULL, &output_desc,
&ret_flags, NULL );
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 653d546..2ba3474 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -664,10 +664,12 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
the principal name back in the first round of
the SASL bind reply. So we guess based on server
name and realm. --jerry */
- /* Also try best guess when we get the w2k8 ignore
- principal back - gd */
+ /* Also try best guess when we get the w2k8 ignore principal
+ back, or when we are configured to ignore it - gd,
+ abartlet */
- if (!given_principal ||
+ if (!lp_client_use_spnego_principal() ||
+ !given_principal ||
strequal(given_principal, ADS_IGNORE_PRINCIPAL)) {
status = ads_guess_service_principal(ads, &p->string);
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 1e11e15..ec9ff58 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1279,10 +1279,9 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
}
}
- /* If we get a bad principal, try to guess it if
- we have a valid host NetBIOS name.
+ /* We may not be allowed to use the server-supplied SPNEGO principal, or it may not have been supplied to us
*/
- if (strequal(principal, ADS_IGNORE_PRINCIPAL)) {
+ if (!lp_client_use_spnego_principal() || strequal(principal, ADS_IGNORE_PRINCIPAL)) {
TALLOC_FREE(principal);
}
@@ -1291,24 +1290,11 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
!strequal(STAR_SMBSERVER,
cli->desthost)) {
char *realm = NULL;
- char *machine = NULL;
char *host = NULL;
- DEBUG(3,("cli_session_setup_spnego: got a "
- "bad server principal, trying to guess ...\n"));
+ DEBUG(3,("cli_session_setup_spnego: using target "
+ "hostname not SPNEGO principal\n"));
host = strchr_m(cli->desthost, '.');
- if (host) {
- /* We had a '.' in the name. */
- machine = SMB_STRNDUP(cli->desthost,
- host - cli->desthost);
- } else {
- machine = SMB_STRDUP(cli->desthost);
- }
- if (machine == NULL) {
- TALLOC_FREE(principal);
- return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
if (dest_realm) {
realm = SMB_STRDUP(dest_realm);
strupper_m(realm);
@@ -1323,21 +1309,11 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
}
if (realm && *realm) {
- if (host) {
- /* DNS name. */
- principal = talloc_asprintf(talloc_tos(),
- "cifs/%s@%s",
- cli->desthost,
- realm);
- } else {
- /* NetBIOS name, use machine account. */
- principal = talloc_asprintf(talloc_tos(),
- "%s$@%s",
- machine,
- realm);
- }
+ principal = talloc_asprintf(talloc_tos(),
+ "cifs/%s@%s",
+ cli->desthost,
+ realm);
if (!principal) {
- SAFE_FREE(machine);
SAFE_FREE(realm);
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
@@ -1345,7 +1321,6 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
"server principal=%s\n",
principal ? principal : "<null>"));
}
- SAFE_FREE(machine);
SAFE_FREE(realm);
}
@@ -1424,15 +1399,15 @@ NTSTATUS cli_session_setup(struct cli_state *cli,
if (cli->protocol < PROTOCOL_NT1) {
if (!lp_client_lanman_auth() && passlen != 24 && (*pass)) {
- DEBUG(1, ("Server requested LM password but 'client lanman auth'"
- " is disabled\n"));
+ DEBUG(1, ("Server requested LM password but 'client lanman auth = no'"
+ " or 'client ntlmv2 auth = yes'\n"));
return NT_STATUS_ACCESS_DENIED;
}
if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0 &&
!lp_client_plaintext_auth() && (*pass)) {
- DEBUG(1, ("Server requested plaintext password but "
- "'client plaintext auth' is disabled\n"));
+ DEBUG(1, ("Server requested LM password but 'client plaintext auth = no'"
+ " or 'client ntlmv2 auth = yes'\n"));
return NT_STATUS_ACCESS_DENIED;
}
@@ -1458,8 +1433,8 @@ NTSTATUS cli_session_setup(struct cli_state *cli,
if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
if (!lp_client_plaintext_auth() && (*pass)) {
- DEBUG(1, ("Server requested plaintext password but "
- "'client plaintext auth' is disabled\n"));
+ DEBUG(1, ("Server requested LM password but 'client plaintext auth = no'"
+ " or 'client ntlmv2 auth = yes'\n"));
return NT_STATUS_ACCESS_DENIED;
}
return cli_session_setup_plaintext(cli, user, pass, workgroup);
@@ -1634,7 +1609,7 @@ struct tevent_req *cli_tcon_andx_create(TALLOC_CTX *mem_ctx,
if (!lp_client_lanman_auth()) {
DEBUG(1, ("Server requested LANMAN password "
"(share-level security) but "
- "'client lanman auth' is disabled\n"));
+ "'client lanman auth = no' or 'client ntlmv2 auth = yes'\n"));
goto access_denied;
}
@@ -1650,8 +1625,8 @@ struct tevent_req *cli_tcon_andx_create(TALLOC_CTX *mem_ctx,
== 0) {
if (!lp_client_plaintext_auth() && (*pass)) {
DEBUG(1, ("Server requested plaintext "
- "password but 'client plaintext "
- "auth' is disabled\n"));
+ "password but "
+ "'client lanman auth = no' or 'client ntlmv2 auth = yes'\n"));
goto access_denied;
}
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 833358d..ced8223 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -338,6 +338,8 @@ struct global {
bool bClientNTLMv2Auth;
bool bClientPlaintextAuth;
bool bClientUseSpnego;
+ bool client_use_spnego_principal;
+ bool send_spnego_principal;
bool bDebugPrefixTimestamp;
bool bDebugHiresTimestamp;
bool bDebugPid;
@@ -1400,6 +1402,24 @@ static struct parm_struct parm_table[] = {
.flags = FLAG_ADVANCED,
},
{
+ .label = "client use spnego principal",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.client_use_spnego_principal,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
+ .label = "send spnego principal",
+ .type = P_BOOL,
+ .p_class = P_GLOBAL,
+ .ptr = &Globals.send_spnego_principal,
+ .special = NULL,
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
+ {
.label = "username",
.type = P_STRING,
.p_class = P_LOCAL,
@@ -5243,8 +5263,8 @@ static void init_globals(bool reinit_globals)
Globals.bClientPlaintextAuth = False; /* Do NOT use a plaintext password even if is requested by the server */
Globals.bLanmanAuth = False; /* Do NOT use the LanMan hash, even if it is supplied */
Globals.bNTLMAuth = True; /* Do use NTLMv1 if it is supplied by the client (otherwise NTLMv2) */
- Globals.bClientNTLMv2Auth = False; /* Client should not use NTLMv2, as we can't tell that the server supports it. */
- /* Note, that we will use NTLM2 session security (which is different), if it is available */
+ Globals.bClientNTLMv2Auth = True; /* Client should always use use NTLMv2, as we can't tell that the server supports it, but most modern servers do */
+ /* Note, that we will also use NTLM2 session security (which is different), if it is available */
Globals.map_to_guest = 0; /* By Default, "Never" */
Globals.oplock_break_wait_time = 0; /* By Default, 0 msecs. */
@@ -5722,6 +5742,8 @@ FN_GLOBAL_BOOL(lp_use_mmap, &Globals.bUseMmap)
FN_GLOBAL_BOOL(lp_unix_extensions, &Globals.bUnixExtensions)
FN_GLOBAL_BOOL(lp_use_spnego, &Globals.bUseSpnego)
FN_GLOBAL_BOOL(lp_client_use_spnego, &Globals.bClientUseSpnego)
+FN_GLOBAL_BOOL(lp_client_use_spnego_principal, &Globals.client_use_spnego_principal)
+FN_GLOBAL_BOOL(lp_send_spnego_principal, &Globals.send_spnego_principal)
FN_GLOBAL_BOOL(lp_hostname_lookups, &Globals.bHostnameLookups)
FN_LOCAL_PARM_BOOL(lp_change_notify, bChangeNotify)
FN_LOCAL_PARM_BOOL(lp_kernel_change_notify, bKernelChangeNotify)
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index a0c1d25..443fac4 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -213,6 +213,9 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn)
/* Code for standalone WXP client */
blob = spnego_gen_negTokenInit(ctx, OIDs_ntlm, NULL, "NONE");
#endif
+ } else if (!lp_send_spnego_principal()) {
+ /* By default, Windows 2008 and later sends not_defined_in_RFC4178 at please_ignore */
+ blob = spnego_gen_negTokenInit(ctx, OIDs_krb5, NULL, ADS_IGNORE_PRINCIPAL);
} else {
fstring myname;
char *host_princ_s = NULL;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 1d617c0..858830f 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1210,14 +1210,18 @@ done:
return status;
}
-static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads)
+static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads, const char *hostname)
{
int num_addrs;
struct sockaddr_storage *iplist = NULL;
fstring machine_name;
NTSTATUS status;
- name_to_fqdn( machine_name, global_myname() );
+ if (hostname) {
+ fstrcpy(machine_name, hostname);
+ } else {
+ name_to_fqdn( machine_name, global_myname() );
+ }
strlower_m( machine_name );
/* Get our ip address (not the 127.0.0.x address but a real ip
@@ -1408,7 +1412,7 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
ads_kinit_password( ads_dns );
}
- if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns )) ) {
+ if ( !ads_dns || !NT_STATUS_IS_OK(net_update_dns( ctx, ads_dns, NULL)) ) {
d_fprintf( stderr, _("DNS update failed!\n") );
}
@@ -1445,9 +1449,9 @@ static int net_ads_dns_register(struct net_context *c, int argc, const char **ar
talloc_enable_leak_report();
#endif
- if (argc > 0 || c->display_usage) {
+ if (argc > 1 || c->display_usage) {
d_printf( "%s\n"
- "net ads dns register\n"
+ "net ads dns register [hostname]\n"
" %s\n",
_("Usage:"),
_("Register hostname with DNS\n"));
@@ -1466,7 +1470,7 @@ static int net_ads_dns_register(struct net_context *c, int argc, const char **ar
return -1;
}
- if ( !NT_STATUS_IS_OK(net_update_dns(ctx, ads)) ) {
+ if ( !NT_STATUS_IS_OK(net_update_dns(ctx, ads, argc == 1 ? argv[0] : NULL)) ) {
d_fprintf( stderr, _("DNS update failed!\n") );
ads_destroy( &ads );
TALLOC_FREE( ctx );
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index d52d4e2..7ec0bff 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1145,7 +1145,6 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
DATA_BLOB lm_resp;
DATA_BLOB nt_resp;
int attempts = 0;
- unsigned char local_lm_response[24];
unsigned char local_nt_response[24];
fstring name_domain, name_user;
bool retry;
@@ -1167,47 +1166,27 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
if (lp_client_ntlmv2_auth()) {
DATA_BLOB server_chal;
DATA_BLOB names_blob;
- DATA_BLOB nt_response;
- DATA_BLOB lm_response;
- server_chal = data_blob_talloc(state->mem_ctx, chal, 8);
+ server_chal = data_blob_const(chal, 8);
- /* note that the 'workgroup' here is a best guess - we don't know
- the server's domain at this point. The 'server name' is also
- dodgy...
+ /* note that the 'workgroup' here is for the local
+ machine. The 'server name' must match the
+ 'workstation' passed to the actual SamLogon call.
*/
names_blob = NTLMv2_generate_names_blob(state->mem_ctx, global_myname(), lp_workgroup());
- if (!SMBNTLMv2encrypt(NULL, name_user, name_domain,
+ if (!SMBNTLMv2encrypt(state->mem_ctx, name_user, name_domain,
state->request->data.auth.pass,
&server_chal,
&names_blob,
- &lm_response, &nt_response, NULL, NULL)) {
+ &lm_resp, &nt_resp, NULL, NULL)) {
data_blob_free(&names_blob);
- data_blob_free(&server_chal);
DEBUG(0, ("winbindd_pam_auth: SMBNTLMv2encrypt() failed!\n"));
result = NT_STATUS_NO_MEMORY;
goto done;
}
data_blob_free(&names_blob);
- data_blob_free(&server_chal);
- lm_resp = data_blob_talloc(state->mem_ctx, lm_response.data,
- lm_response.length);
- nt_resp = data_blob_talloc(state->mem_ctx, nt_response.data,
- nt_response.length);
- data_blob_free(&lm_response);
- data_blob_free(&nt_response);
-
} else {
- if (lp_client_lanman_auth()
- && SMBencrypt(state->request->data.auth.pass,
- chal,
- local_lm_response)) {
- lm_resp = data_blob_talloc(state->mem_ctx,
- local_lm_response,
- sizeof(local_lm_response));
- } else {
- lm_resp = data_blob_null;
- }
+ lm_resp = data_blob_null;
SMBNTencrypt(state->request->data.auth.pass,
chal,
local_nt_response);
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index 813bf0a..1f6c919 100644
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
--
Samba Shared Repository
More information about the samba-cvs
mailing list