[SCM] Samba Shared Repository - branch v3-5-test updated

Karolin Seeger kseeger at samba.org
Fri May 13 13:37:11 MDT 2011


The branch, v3-5-test has been updated
       via  12bb20a s3-libsmb Don't ever ask for machine$ principals as a target.
       via  e962852 s3-libads Default to NOT using the server-supplied principal from SPNEGO
      from  3782315 Fix bug 8111 - CIFS VFS: unexpected error on SMB posix open

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test


- Log -----------------------------------------------------------------
commit 12bb20a0f6cd85cfdaedf746e7b05416ccde31b0
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Dec 10 07:57:59 2010 +1100

    s3-libsmb Don't ever ask for machine$ principals as a target.
    
    It is never correct to ask for a machine$ principal as the target of a
    kerberos connection.  You should always connect via the
    servicePrincipalName.
    
    This current code appears to have built up from a series of minimal
    changes, as the codebase adapted the to lack of a SPNEGO principal
    from Windows 2008.
    
    Andrew Bartlett
    
    The last two patches address bug #7893 (CIFS tickets vs. <host>$ tickets).

commit e962852687f539678b7c38ed21f1b76c328821f2
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Sat Dec 4 13:48:37 2010 +1100

    s3-libads Default to NOT using the server-supplied principal from SPNEGO
    
    This principal is not supplied by later versions of windows, and using
    it opens up some oportunities for man in the middle attacks.  (Becuase
    it isn't the name being contacted that is verified with the KDC).
    
    This adds the option 'client use spnego principal' to the smb.conf (as
    used in Samba4) to control this behaivour.  As in Samba4, this
    defaults to false.
    
    Against 2008 servers, this will not change behaviour.  Against earlier
    servers, it may cause a downgrade to NTLMSSP more often, in
    environments where server names are not registered with the KDC as
    servicePrincipalName values.
    
    Andrew Bartlett
    (cherry picked from commit bb7806283e71f3b8029aae0eed326b5847a36d83)

-----------------------------------------------------------------------

Summary of changes:
 source3/include/proto.h     |    1 +
 source3/libads/sasl.c       |    8 +++++---
 source3/libsmb/cliconnect.c |   40 ++++++++--------------------------------
 source3/param/loadparm.c    |   11 +++++++++++
 4 files changed, 25 insertions(+), 35 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 6ff0882..e15a020 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -4080,6 +4080,7 @@ bool lp_use_mmap(void);
 bool lp_unix_extensions(void);
 bool lp_use_spnego(void);
 bool lp_client_use_spnego(void);
+bool lp_client_use_spnego_principal(void);
 bool lp_hostname_lookups(void);
 bool lp_change_notify(const struct share_params *p );
 bool lp_kernel_change_notify(const struct share_params *p );
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 421faed..749e8a4 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -649,10 +649,12 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
 	   the principal name back in the first round of
 	   the SASL bind reply.  So we guess based on server
 	   name and realm.  --jerry  */
-	/* Also try best guess when we get the w2k8 ignore
-	   principal back - gd */
+	/* Also try best guess when we get the w2k8 ignore principal
+	   back, or when we are configured to ignore it - gd,
+	   abartlet */
 
-	if (!given_principal ||
+	if (!lp_client_use_spnego_principal() ||
+	    !given_principal ||
 	    strequal(given_principal, ADS_IGNORE_PRINCIPAL)) {
 
 		status = ads_guess_service_principal(ads, &p->string);
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 9d0b1e3..6316db1 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1056,10 +1056,9 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 			}
 		}
 
-		/* If we get a bad principal, try to guess it if
-		   we have a valid host NetBIOS name.
+		/* We may not be allowed to use the server-supplied SPNEGO principal, or it may not have been supplied to us
 		 */
-		if (strequal(principal, ADS_IGNORE_PRINCIPAL)) {
+		if (!lp_client_use_spnego_principal() || strequal(principal, ADS_IGNORE_PRINCIPAL)) {
 			TALLOC_FREE(principal);
 		}
 
@@ -1068,23 +1067,11 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 			!strequal(STAR_SMBSERVER,
 				cli->desthost)) {
 			char *realm = NULL;
-			char *machine = NULL;
 			char *host = NULL;
-			DEBUG(3,("cli_session_setup_spnego: got a "
-				"bad server principal, trying to guess ...\n"));
+			DEBUG(3,("cli_session_setup_spnego: using target "
+				 "hostname not SPNEGO principal\n"));
 
 			host = strchr_m(cli->desthost, '.');
-			if (host) {
-				/* We had a '.' in the name. */
-				machine = SMB_STRNDUP(cli->desthost,
-					host - cli->desthost);
-			} else {
-				machine = SMB_STRDUP(cli->desthost);
-			}
-			if (machine == NULL) {
-				return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
-			}
-
 			if (dest_realm) {
 				realm = SMB_STRDUP(dest_realm);
 				strupper_m(realm);
@@ -1099,21 +1086,11 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 			}
 
 			if (realm && *realm) {
-				if (host) {
-					/* DNS name. */
-					principal = talloc_asprintf(talloc_tos(),
-							"cifs/%s@%s",
-							cli->desthost,
-							realm);
-				} else {
-					/* NetBIOS name, use machine account. */
-					principal = talloc_asprintf(talloc_tos(),
-							"%s$@%s",
-							machine,
-							realm);
-				}
+				principal = talloc_asprintf(talloc_tos(),
+							    "cifs/%s@%s",
+							    cli->desthost,
+							    realm);
 				if (!principal) {
-					SAFE_FREE(machine);
 					SAFE_FREE(realm);
 					return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
 				}
@@ -1121,7 +1098,6 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 					"server principal=%s\n",
 					principal ? principal : "<null>"));
 			}
-			SAFE_FREE(machine);
 			SAFE_FREE(realm);
 		}
 
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 76e2303..1ad067b 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -325,6 +325,7 @@ struct global {
 	bool bClientNTLMv2Auth;
 	bool bClientPlaintextAuth;
 	bool bClientUseSpnego;
+	bool client_use_spnego_principal;
 	bool bDebugPrefixTimestamp;
 	bool bDebugHiresTimestamp;
 	bool bDebugPid;
@@ -1395,6 +1396,15 @@ static struct parm_struct parm_table[] = {
 		.flags		= FLAG_ADVANCED,
 	},
 	{
+		.label		= "client use spnego principal",
+		.type		= P_BOOL,
+		.p_class	= P_GLOBAL,
+		.ptr		= &Globals.client_use_spnego_principal,
+		.special	= NULL,
+		.enum_list	= NULL,
+		.flags		= FLAG_ADVANCED,
+	},
+	{
 		.label		= "username",
 		.type		= P_STRING,
 		.p_class	= P_LOCAL,
@@ -5537,6 +5547,7 @@ FN_GLOBAL_BOOL(lp_use_mmap, &Globals.bUseMmap)
 FN_GLOBAL_BOOL(lp_unix_extensions, &Globals.bUnixExtensions)
 FN_GLOBAL_BOOL(lp_use_spnego, &Globals.bUseSpnego)
 FN_GLOBAL_BOOL(lp_client_use_spnego, &Globals.bClientUseSpnego)
+FN_GLOBAL_BOOL(lp_client_use_spnego_principal, &Globals.client_use_spnego_principal)
 FN_GLOBAL_BOOL(lp_hostname_lookups, &Globals.bHostnameLookups)
 FN_LOCAL_PARM_BOOL(lp_change_notify, bChangeNotify)
 FN_LOCAL_PARM_BOOL(lp_kernel_change_notify, bKernelChangeNotify)


-- 
Samba Shared Repository


More information about the samba-cvs mailing list