[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Apr 13 18:20:02 MDT 2011
The branch, master has been updated
via 29c0c37 s4/libcli: do not use netbios name in NTLMv2 blobs w/o spnego
via 96a49d2 libcli: allow exclusion of netbios name in NTLMV2 blob
via 36f7f98 s4/libcli: do not announce NT error code support when it is disabled
from 165521e s3: only include smb profiling where needed.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 29c0c37691da10bf061ba90a5b31482bda2fa486
Author: Christian Ambach <christian.ambach at de.ibm.com>
Date: Thu Apr 7 14:05:04 2011 +0200
s4/libcli: do not use netbios name in NTLMv2 blobs w/o spnego
I have seen domain controllers rejecting NTLMv2 blobs presented to
NetrLogonSamLogonEx with LOGON_FAILURE when the MsvAvNbComputerName
was a FQDN or an IP address
I have not seen this field in NTLMv2 blobs send by Windows clients
when extended security was not available, so omitting the field
makes Samba similar to Windows.
This prevents errors with some smbtorture testcases that disable
spnego and when a target name is specified that is not a valid
netbios name.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Thu Apr 14 02:19:08 CEST 2011 on sn-devel-104
commit 96a49d23a4caebefcea66cfb855fadbae12ccf7c
Author: Christian Ambach <christian.ambach at de.ibm.com>
Date: Thu Apr 7 14:01:50 2011 +0200
libcli: allow exclusion of netbios name in NTLMV2 blob
when no hostname is given, leave away the MsvAvNbComputerName part
of the ntlmv2 blob
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 36f7f985c168468a82a6e941c6e21c6113b906ca
Author: Christian Ambach <christian.ambach at de.ibm.com>
Date: Wed Mar 9 13:48:06 2011 +0100
s4/libcli: do not announce NT error code support when it is disabled
when the support of NT error codes has been disabled in the options of a
CLI connection, support for them should not be announced during
protocol negotiation
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/auth/smbencrypt.c | 17 ++++++++++++-----
source4/libcli/raw/rawnegotiate.c | 5 ++++-
source4/libcli/smb_composite/sesssetup.c | 26 ++++++++++++++++++++++----
3 files changed, 38 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index d090345..366f6df 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -385,11 +385,18 @@ DATA_BLOB NTLMv2_generate_names_blob(TALLOC_CTX *mem_ctx,
DATA_BLOB names_blob = data_blob_talloc(mem_ctx, NULL, 0);
/* Deliberately ignore return here.. */
- (void)msrpc_gen(mem_ctx, &names_blob,
- "aaa",
- MsvAvNbDomainName, domain,
- MsvAvNbComputerName, hostname,
- MsvAvEOL, "");
+ if (hostname != NULL) {
+ (void)msrpc_gen(mem_ctx, &names_blob,
+ "aaa",
+ MsvAvNbDomainName, domain,
+ MsvAvNbComputerName, hostname,
+ MsvAvEOL, "");
+ } else {
+ (void)msrpc_gen(mem_ctx, &names_blob,
+ "aa",
+ MsvAvNbDomainName, domain,
+ MsvAvEOL, "");
+ }
return names_blob;
}
diff --git a/source4/libcli/raw/rawnegotiate.c b/source4/libcli/raw/rawnegotiate.c
index 67f3bfa..4f8c13e 100644
--- a/source4/libcli/raw/rawnegotiate.c
+++ b/source4/libcli/raw/rawnegotiate.c
@@ -62,7 +62,10 @@ struct smbcli_request *smb_raw_negotiate_send(struct smbcli_transport *transport
return NULL;
}
- flags2 |= FLAGS2_32_BIT_ERROR_CODES;
+ if (transport->options.ntstatus_support) {
+ flags2 |= FLAGS2_32_BIT_ERROR_CODES;
+ }
+
if (unicode) {
flags2 |= FLAGS2_UNICODE_STRINGS;
}
diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c
index e1159a4..ebc3598 100644
--- a/source4/libcli/smb_composite/sesssetup.c
+++ b/source4/libcli/smb_composite/sesssetup.c
@@ -280,8 +280,17 @@ static NTSTATUS session_setup_nt1(struct composite_context *c,
struct smbcli_request **req)
{
NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
- struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
- DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, session->transport->socket->hostname, cli_credentials_get_domain(io->in.credentials));
+ struct sesssetup_state *state = talloc_get_type(c->private_data,
+ struct sesssetup_state);
+ const char *domain = cli_credentials_get_domain(io->in.credentials);
+
+ /*
+ * domain controllers tend to reject the NTLM v2 blob
+ * if the netbiosname is not valid (e.g. IP address or FQDN)
+ * so just leave it away (as Windows client do)
+ */
+ DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, NULL, domain);
+
DATA_BLOB session_key = data_blob(NULL, 0);
int flags = CLI_CRED_NTLM_AUTH;
@@ -353,9 +362,18 @@ static NTSTATUS session_setup_old(struct composite_context *c,
struct smbcli_request **req)
{
NTSTATUS nt_status;
- struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
+ struct sesssetup_state *state = talloc_get_type(c->private_data,
+ struct sesssetup_state);
const char *password = cli_credentials_get_password(io->in.credentials);
- DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, session->transport->socket->hostname, cli_credentials_get_domain(io->in.credentials));
+ const char *domain = cli_credentials_get_domain(io->in.credentials);
+
+ /*
+ * domain controllers tend to reject the NTLM v2 blob
+ * if the netbiosname is not valid (e.g. IP address or FQDN)
+ * so just leave it away (as Windows client do)
+ */
+ DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, NULL, domain);
+
DATA_BLOB session_key;
int flags = 0;
if (session->options.lanman_auth) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list