[SCM] Samba Shared Repository - branch v3-5-test updated

Karolin Seeger kseeger at samba.org
Sat Jan 8 09:04:06 MST 2011 

The branch, v3-5-test has been updated
       via  3d9dd75 s3:libsmb: use 16 zero bytes as channel binding checksum in the gssapi checksum (bug #7883)
       via  b31c9cf s3-krb5 Fix Kerberos on FreeBSD with Samba4 DCs
      from  bba197b s3: Fix a memleak in receive_getdc_response

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test


- Log -----------------------------------------------------------------
commit 3d9dd75e811eb251002b7c1b958f58790a089086
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Dec 23 08:17:48 2010 +0100

    s3:libsmb: use 16 zero bytes as channel binding checksum in the gssapi checksum (bug #7883)
    
    This fixes SMB session setups with kerberos against some closed
    source SMB servers.
    
    The new behavior matches heimdal and mit.
    
    metze
    
    Autobuild-User: Stefan Metzmacher <metze at samba.org>
    Autobuild-Date: Thu Dec 23 09:38:43 CET 2010 on sn-devel-104
    (cherry picked from commit e9dddc55e324c62973e6a561477b532cf9ed79af)
    (cherry picked from commit 3356192af5d36fbe986c4728162d10fe883ba2fd)

commit b31c9cf18a5bd592912bd300e028d0798e93978d
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Sat Sep 11 16:13:33 2010 +1000

    s3-krb5 Fix Kerberos on FreeBSD with Samba4 DCs
    
    The idea of this patch is: Don't support a mix of different kerberos
    features.
    
    Either we should prepare a GSSAPI (8003) checksum and mark the request as
    such, or we should use the old behaviour (a normal kerberos checksum of 0 data).
    
    Sending the GSSAPI checksum data, but without marking it as GSSAPI broke
    Samba4, and seems well outside the expected behaviour, even if Windows accepts it.
    
    Andrew Bartlett
    (cherry picked from commit 3b4db34011f06fb785153fa9070fb1da9d8f5c78)
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source3/libsmb/clikrb5.c |   34 +++++++++++-----------------------
 1 files changed, 11 insertions(+), 23 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index b0dec0a..7b5cd09 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -696,26 +696,16 @@ static krb5_error_code create_gss_checksum(krb5_data *in_data, /* [inout] */
 	memset(gss_cksum, '\0', base_cksum_size + orig_length);
 	SIVAL(gss_cksum, 0, GSSAPI_BNDLENGTH);
 
-	/* Precalculated MD5sum of NULL channel bindings (20 bytes) */
-	/* Channel bindings are: (all ints encoded as little endian)
-
-		[4 bytes] initiator_addrtype (255 for null bindings)
-		[4 bytes] initiator_address length
-			[n bytes] .. initiator_address data - not present
-				     in null bindings.
-		[4 bytes] acceptor_addrtype (255 for null bindings)
-		[4 bytes] acceptor_address length
-			[n bytes] .. acceptor_address data - not present
-				     in null bindings.
-		[4 bytes] application_data length
-			[n bytes] .. application_ data - not present
-				     in null bindings.
-		MD5 of this is ""\x14\x8f\x0c\xf7\xb1u\xdey*J\x9a%\xdfV\xc5\x18"
-	*/
-
-	memcpy(&gss_cksum[4],
-		"\x14\x8f\x0c\xf7\xb1u\xdey*J\x9a%\xdfV\xc5\x18",
-		GSSAPI_BNDLENGTH);
+	/*
+	 * GSS_C_NO_CHANNEL_BINDINGS means 16 zero bytes.
+	 * This matches the behavior of heimdal and mit.
+	 *
+	 * And it is needed to work against some closed source
+	 * SMB servers.
+	 *
+	 * See bug #7883
+	 */
+	memset(&gss_cksum[4], 0x00, GSSAPI_BNDLENGTH);
 
 	SIVAL(gss_cksum, 20, gss_flags);
 
@@ -832,7 +822,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
 		goto cleanup_creds;
 	}
 
-#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY)
+#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
 	if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) {
 		/* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket
 		 as part of the kerberos exchange. */
@@ -894,7 +884,6 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
 			gss_flags |= GSS_C_DELEG_FLAG;
 		}
 	}
-#endif
 
 	/* Frees and reallocates in_data into a GSS checksum blob. */
 	retval = create_gss_checksum(&in_data, gss_flags);
@@ -902,7 +891,6 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
 		goto cleanup_data;
 	}
 
-#if defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
 	/* We always want GSS-checksum types. */
 	retval = krb5_auth_con_set_req_cksumtype(context, *auth_context, GSSAPI_CHECKSUM );
 	if (retval) {


-- 
Samba Shared Repository

More information about the samba-cvs mailing list