[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Thu Apr 28 18:17:04 UTC 2016
The branch, master has been updated
via eee88e0 s3:selftest: add smbclient_ntlm tests
via 4de4338 selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP
via 587b5db selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes
via 7091033 s3:test_smbclient_auth.sh: this script reqiures 5 arguments
via b8055cb selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc
via 7a2cb2c auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testing
via db9c01a auth/spnego: add spnego:simulate_w2k option for testing
via d667520 auth/ntlmssp: do map to guest checking after the authentication
via 79a7154 s3:smbd: only mark real guest sessions with the GUEST flag
via 25ce978 s3:smbd: make use SMB_SETUP_GUEST constant
via 837e617 libcli/security: implement SECURITY_GUEST
via ead483b s3:auth_builtin: anonymous authentication doesn't allow a password
via d247dce s4:auth_anonymous: anonymous authentication doesn't allow a password
via 6546295 auth/spnego: only try to verify the mechListMic if signing was negotiated.
via e72ad19 s3:libsmb: use anonymous authentication via spnego if possible
via fa57992 s3:libsmb: don't finish the gensec handshake for guest logins
via 02c9021 s3:libsmb: record the session setup action flags
via 8f4a4be libcli/smb: add smbXcli_session_is_guest() helper function
via cceaa61 libcli/smb: add SMB1 session setup action flags
via e6f9e17 libcli/smb: add smb1cli_session_set_action() helper function
via 8e016ff libcli/smb: fix NULL pointer derreference in smbXcli_session_is_authenticated().
via 53be474 s3:libsmb: use password = NULL for anonymous connections
via d97b347 auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections
via 5041adb auth/ntlmssp: don't require any flags in the ccache_resume code
via 032c273 auth/spnego: handle broken mechListMIC response from Windows 2000
via 9930bd1 auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR'
via b659503 s3:librpc:crypto:gse: increase debug level for gse_init_client().
via 95b8b02 lib:krb5_wrap:krb5_samba: increase debug level for smb_krb5_get_default_realm_from_ccache().
via 795e796 s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff
via 8704958 s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff
from 4158729 selfttest: add common_test_fns.inc
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit eee88e07b3e68efb467b390536eea4155b5ced7e
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 25 16:12:47 2016 +0200
s3:selftest: add smbclient_ntlm tests
We test all combinations of NT1 with and without spnego and SMB3
for user, anonymous and guest authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Apr 28 20:16:45 CEST 2016 on sn-devel-144
commit 4de43387235cb17a185fdd1afd658972e8c174ef
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 25 16:02:22 2016 +0200
selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 587b5db7979c1ca1055f5bfd81ab79606cd3c2dd
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 27 01:00:14 2016 +0200
selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 70910334caa176bf98fece7d638ed599979dc173
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 26 11:33:52 2016 +0200
s3:test_smbclient_auth.sh: this script reqiures 5 arguments
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b8055cb42cadf48367867213a35635f3391c9b8d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 26 08:50:00 2016 +0200
selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 7a2cb2c97611171613fc677a534277839348c56f
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 25 15:58:27 2016 +0200
auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit db9c01a51975a0a3ec2564357617958c2f466091
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 25 14:45:55 2016 +0200
auth/spnego: add spnego:simulate_w2k option for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit d667520568996471b55007a42b503edbabb1eee0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 20 18:27:34 2016 +0200
auth/ntlmssp: do map to guest checking after the authentication
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 79a71545bfc87525c6ba6c8fe9fa7d8a9da33441
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 20 16:34:28 2016 +0200
s3:smbd: only mark real guest sessions with the GUEST flag
Real anonymous sessions don't get it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 25ce97892ad3ce5028e4dbbbdd844ef6619ac396
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 18 17:36:56 2016 +0200
s3:smbd: make use SMB_SETUP_GUEST constant
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 837e6176329330893d5a1e4ce4ac67dbac758e56
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 20 16:29:42 2016 +0200
libcli/security: implement SECURITY_GUEST
SECURITY_GUEST is not exactly the same as SECURITY_ANONYMOUS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit ead483b0c0ec746c0869162024c97f2e08df7f4b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 27 01:48:32 2016 +0200
s3:auth_builtin: anonymous authentication doesn't allow a password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit d247dceaaab24b568425f2360e40f5e91be452cc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 27 01:44:56 2016 +0200
s4:auth_anonymous: anonymous authentication doesn't allow a password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 65462958522baee6eedcedd4193cfcc8cf0f510e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 22 10:04:38 2016 +0200
auth/spnego: only try to verify the mechListMic if signing was negotiated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e72ad193a53e20b769f798d02c0610f91859bd38
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 19 07:33:03 2016 +0200
s3:libsmb: use anonymous authentication via spnego if possible
This makes the authentication consistent between
SMB1 with CAP_EXTENDED_SECURITY (introduced in Windows 2000)
and SNB2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit fa5799207e55ee8e329f36f784d027845eaf0e34
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 19 07:20:28 2016 +0200
s3:libsmb: don't finish the gensec handshake for guest logins
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 02c902103521e5a2b1d221db83e6c59d0ce31099
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 19 07:19:19 2016 +0200
s3:libsmb: record the session setup action flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8f4a4bec089b46bbeb0e0f37bb682acb88702bf2
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 18 17:38:46 2016 +0200
libcli/smb: add smbXcli_session_is_guest() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit cceaa61cf064926baca6db4b303d34ea90d40d52
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 18 17:34:21 2016 +0200
libcli/smb: add SMB1 session setup action flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit e6f9e176f2bb0e3e7451ac58e84ff55328219fcd
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 18 17:33:11 2016 +0200
libcli/smb: add smb1cli_session_set_action() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8e016ffeb01167bb8dec66cf9e4bc8605461c15a
Author: Günther Deschner <gd at samba.org>
Date: Wed Apr 20 20:09:53 2016 +0200
libcli/smb: fix NULL pointer derreference in smbXcli_session_is_authenticated().
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 53be47410236ef7c90fe895f49f300e3fe47a8bf
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 19 07:31:50 2016 +0200
s3:libsmb: use password = NULL for anonymous connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11858
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit d97b347d041f9b5c0aa71f35526cbefd56f3500b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 20 18:44:21 2016 +0200
auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections
Enforcement of SMB signing is done at the SMB layer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 5041adb6657596399049a33e6a739a040b4df0db
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 20 18:44:21 2016 +0200
auth/ntlmssp: don't require any flags in the ccache_resume code
ntlmssp_client_challenge() already checks for required flags
before asking winbindd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 032c2733dea834e2c95178cdd0deb73e7bb13621
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Apr 23 05:17:25 2016 +0200
auth/spnego: handle broken mechListMIC response from Windows 2000
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11870
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 9930bd17f2d39e4be1e125f83f7de489a94ea1d1
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 28 12:26:16 2016 +0200
auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit b6595037f3fcaafb957d9c08edfb89c72cded987
Author: Günther Deschner <gd at samba.org>
Date: Thu Apr 28 12:58:33 2016 +0200
s3:librpc:crypto:gse: increase debug level for gse_init_client().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 95b8b020626ba58a77a21e3da804bac2f0cf90b1
Author: Günther Deschner <gd at samba.org>
Date: Thu Apr 28 12:58:10 2016 +0200
lib:krb5_wrap:krb5_samba: increase debug level for smb_krb5_get_default_realm_from_ccache().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 795e796658e6da0149c9c00ece7cca4ccc457717
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 22 16:31:55 2016 +0200
s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
commit 8704958fb3b212b401a8e7d94fdd9c627adbde0d
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 22 16:18:24 2016 +0200
s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/spnego.c | 66 +++++++++++++++++----
auth/ntlmssp/gensec_ntlmssp_server.c | 15 ++---
auth/ntlmssp/ntlmssp_client.c | 15 ++---
auth/ntlmssp/ntlmssp_server.c | 40 +++++++++++++
lib/krb5_wrap/krb5_samba.c | 4 +-
libcli/security/security_token.c | 5 ++
libcli/security/security_token.h | 2 +
libcli/security/session.c | 4 ++
libcli/security/session.h | 1 +
libcli/smb/smbXcli_base.c | 35 +++++++++++
libcli/smb/smbXcli_base.h | 3 +
libcli/smb/smb_constants.h | 6 ++
selftest/target/Samba.pm | 13 ++++
selftest/target/Samba4.pm | 23 +++++++-
source3/auth/auth_builtin.c | 47 ++++++++++++---
source3/libads/sasl.c | 4 +-
source3/librpc/crypto/gse.c | 2 +-
source3/libsmb/cliconnect.c | 92 +++++++++++++++++++++--------
source3/script/tests/test_smbclient_auth.sh | 2 +-
source3/script/tests/test_smbclient_ntlm.sh | 40 +++++++++++++
source3/selftest/tests.py | 4 +-
source3/smbd/sesssetup.c | 12 ++--
source3/smbd/smb2_sesssetup.c | 7 ++-
source4/auth/gensec/gensec_tstream.c | 6 +-
source4/auth/ntlm/auth_anonymous.c | 30 ++++++++++
25 files changed, 399 insertions(+), 79 deletions(-)
create mode 100755 source3/script/tests/test_smbclient_ntlm.sh
Changeset truncated at 500 lines:
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 2922478..3962d72 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -59,6 +59,8 @@ struct spnego_state {
bool needs_mic_check;
bool done_mic_check;
+ bool simulate_w2k;
+
/*
* The following is used to implement
* the update token fragmentation
@@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k", false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k", false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -661,7 +669,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
talloc_free(spnego_state->sub_sec_security);
spnego_state->sub_sec_security = NULL;
- DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
+ DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
return nt_status;
}
@@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego.negTokenInit.mechToken,
&unwrapped_out);
+ if (spnego_state->simulate_w2k) {
+ /*
+ * Windows 2000 returns the unwrapped token
+ * also in the mech_list_mic field.
+ *
+ * In order to verify our client code,
+ * we need a way to have a server with this
+ * broken behaviour
+ */
+ mech_list_mic = unwrapped_out;
+ }
+
nt_status = gensec_spnego_server_negTokenTarg(spnego_state,
out_mem_ctx,
nt_status,
unwrapped_out,
- null_data_blob,
+ mech_list_mic,
out);
spnego_free_data(&spnego);
@@ -885,6 +905,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
case SPNEGO_SERVER_TARG:
{
NTSTATUS nt_status;
+ bool have_sign = true;
bool new_spnego = false;
if (!in.length) {
@@ -947,18 +968,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
goto server_response;
}
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
if (spnego.negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
@@ -1078,6 +1104,24 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC;
+ const DATA_BLOB *r = &spnego.negTokenTarg.responseToken;
+
+ /*
+ * Windows 2000 has a bug, it repeats the
+ * responseToken in the mechListMIC field.
+ */
+ if (m->length == r->length) {
+ int cmp;
+
+ cmp = memcmp(m->data, r->data, m->length);
+ if (cmp == 0) {
+ data_blob_free(m);
+ }
+ }
+ }
+
+ if (spnego.negTokenTarg.mechListMIC.length > 0) {
if (spnego_state->no_response_expected) {
spnego_state->needs_mic_check = true;
}
@@ -1124,8 +1168,14 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (spnego_state->no_response_expected &&
!spnego_state->done_mic_check)
{
+ bool have_sign = true;
bool new_spnego = false;
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
@@ -1152,16 +1202,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
if (spnego_state->mic_requested) {
- bool sign;
-
- sign = gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_SIGN);
- if (sign) {
+ if (have_sign) {
new_spnego = true;
}
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index ca19863..99cedd0 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -131,20 +131,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
ntlmssp_state->allow_lm_key = true;
}
- if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) {
- /*
- * map to guest is not secure anyway, so
- * try to make it work and don't try to
- * negotiate new_spnego and MIC checking
- */
- ntlmssp_state->force_old_spnego = true;
- }
+ ntlmssp_state->force_old_spnego = false;
- if (role == ROLE_ACTIVE_DIRECTORY_DC) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) {
/*
- * map to guest is not supported on an AD DC.
+ * For testing Windows 2000 mode
*/
- ntlmssp_state->force_old_spnego = false;
+ ntlmssp_state->force_old_spnego = true;
}
ntlmssp_state->neg_flags =
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index b419615..5edd5f4 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
gensec_security->want_features |= GENSEC_FEATURE_SIGN;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
gensec_security->want_features |= GENSEC_FEATURE_SEAL;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
- ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
+ ntlmssp_state->required_flags = 0;
if (DEBUGLEVEL >= 10) {
struct NEGOTIATE_MESSAGE *negotiate = talloc(
@@ -789,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
+ ntlmssp_state->force_old_spnego = gensec_setting_bool(gensec_security->settings,
+ "ntlmssp_client", "force_old_spnego", false);
+
ntlmssp_state->expected_state = NTLMSSP_INITIAL;
ntlmssp_state->neg_flags =
@@ -848,8 +846,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
* Without this, Windows will not create the master key
* that it thinks is only used for NTLMSSP signing and
* sealing. (It is actually pulled out and used directly)
+ *
+ * We don't require this here as some servers (e.g. NetAPP)
+ * doesn't support this.
*/
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 17d5ade..ddee875 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -31,6 +31,9 @@
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
#include "auth/common_auth.h"
+#include "param/param.h"
+#include "param/loadparm.h"
+#include "libcli/security/session.h"
/**
* Determine correct target name flags for reply, given server role
@@ -700,6 +703,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
struct auth4_context *auth_context = gensec_security->auth_context;
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
+ struct auth_session_info *session_info = NULL;
struct auth_usersupplied_info *user_info;
user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
@@ -736,6 +740,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
NT_STATUS_NOT_OK_RETURN(nt_status);
+ if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST
+ && auth_context->generate_session_info != NULL)
+ {
+ NTSTATUS tmp_status;
+
+ /*
+ * We need to check if the auth is anonymous or mapped to guest
+ */
+ tmp_status = auth_context->generate_session_info(auth_context, mem_ctx,
+ gensec_ntlmssp->server_returned_info,
+ gensec_ntlmssp->ntlmssp_state->user,
+ AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
+ &session_info);
+ if (!NT_STATUS_IS_OK(tmp_status)) {
+ /*
+ * We don't care about failures,
+ * the worst result is that we try MIC checking
+ * for a map to guest authentication.
+ */
+ TALLOC_FREE(session_info);
+ }
+ }
+
+ if (session_info != NULL) {
+ if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
+ /*
+ * Anonymous and GUEST are not secure anyway.
+ * avoid new_spnego and MIC checking.
+ */
+ ntlmssp_state->new_spnego = false;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+ }
+ TALLOC_FREE(session_info);
+ }
+
talloc_steal(mem_ctx, user_session_key->data);
talloc_steal(mem_ctx, lm_session_key->data);
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index d1e60eb..3cb1cee 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2745,12 +2745,12 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
"Trying to read krb5 cache: %s\n",
krb5_cc_default_name(ctx)));
if (krb5_cc_default(ctx, &cc)) {
- DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+ DEBUG(5,("kerberos_get_default_realm_from_ccache: "
"failed to read default cache\n"));
goto out;
}
if (krb5_cc_get_principal(ctx, cc, &princ)) {
- DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+ DEBUG(5,("kerberos_get_default_realm_from_ccache: "
"failed to get default principal\n"));
goto out;
}
diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c
index 6812d42..2e5a87b 100644
--- a/libcli/security/security_token.c
+++ b/libcli/security/security_token.c
@@ -130,6 +130,11 @@ bool security_token_has_sid_string(const struct security_token *token, const cha
return ret;
}
+bool security_token_has_builtin_guests(const struct security_token *token)
+{
+ return security_token_has_sid(token, &global_sid_Builtin_Guests);
+}
+
bool security_token_has_builtin_administrators(const struct security_token *token)
{
return security_token_has_sid(token, &global_sid_Builtin_Administrators);
diff --git a/libcli/security/security_token.h b/libcli/security/security_token.h
index b8ca990..5c5b30b 100644
--- a/libcli/security/security_token.h
+++ b/libcli/security/security_token.h
@@ -51,6 +51,8 @@ bool security_token_has_sid(const struct security_token *token, const struct dom
bool security_token_has_sid_string(const struct security_token *token, const char *sid_string);
+bool security_token_has_builtin_guests(const struct security_token *token);
+
bool security_token_has_builtin_administrators(const struct security_token *token);
bool security_token_has_nt_authenticated_users(const struct security_token *token);
diff --git a/libcli/security/session.c b/libcli/security/session.c
index 0c32556..0fbb87d 100644
--- a/libcli/security/session.c
+++ b/libcli/security/session.c
@@ -38,6 +38,10 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
return SECURITY_ANONYMOUS;
}
+ if (security_token_has_builtin_guests(session_info->security_token)) {
+ return SECURITY_GUEST;
+ }
+
if (security_token_has_builtin_administrators(session_info->security_token)) {
return SECURITY_ADMINISTRATOR;
}
diff --git a/libcli/security/session.h b/libcli/security/session.h
index ee9187d..31e950e 100644
--- a/libcli/security/session.h
+++ b/libcli/security/session.h
@@ -24,6 +24,7 @@
enum security_user_level {
SECURITY_ANONYMOUS = 0,
+ SECURITY_GUEST = 1,
SECURITY_USER = 10,
SECURITY_RO_DOMAIN_CONTROLLER = 20,
SECURITY_DOMAIN_CONTROLLER = 30,
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 6a71766..4332374 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -167,6 +167,7 @@ struct smbXcli_session {
struct {
uint16_t session_id;
+ uint16_t action;
DATA_BLOB application_key;
bool protected_key;
} smb1;
@@ -5301,10 +5302,38 @@ struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
return session;
}
+bool smbXcli_session_is_guest(struct smbXcli_session *session)
+{
+ if (session == NULL) {
+ return false;
+ }
+
+ if (session->conn == NULL) {
+ return false;
+ }
+
+ if (session->conn->protocol >= PROTOCOL_SMB2_02) {
+ if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) {
+ return true;
+ }
+ return false;
+ }
+
+ if (session->smb1.action & SMB_SETUP_GUEST) {
+ return true;
+ }
+
+ return false;
+}
+
bool smbXcli_session_is_authenticated(struct smbXcli_session *session)
{
const DATA_BLOB *application_key;
+ if (session == NULL) {
+ return false;
+ }
+
if (session->conn == NULL) {
return false;
}
@@ -5372,6 +5401,12 @@ void smb1cli_session_set_id(struct smbXcli_session *session,
session->smb1.session_id = session_id;
}
+void smb1cli_session_set_action(struct smbXcli_session *session,
+ uint16_t action)
+{
+ session->smb1.action = action;
+}
+
NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session,
const DATA_BLOB _session_key)
{
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index ffccd7e..16c8848 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -390,6 +390,7 @@ struct smbXcli_session *smbXcli_session_create(TALLOC_CTX *mem_ctx,
struct smbXcli_conn *conn);
struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
struct smbXcli_session *src);
+bool smbXcli_session_is_guest(struct smbXcli_session *session);
bool smbXcli_session_is_authenticated(struct smbXcli_session *session);
NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
TALLOC_CTX *mem_ctx,
@@ -398,6 +399,8 @@ void smbXcli_session_set_disconnect_expired(struct smbXcli_session *session);
uint16_t smb1cli_session_current_id(struct smbXcli_session* session);
void smb1cli_session_set_id(struct smbXcli_session* session,
uint16_t session_id);
+void smb1cli_session_set_action(struct smbXcli_session *session,
+ uint16_t action);
NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session,
const DATA_BLOB _session_key);
NTSTATUS smb1cli_session_protect_session_key(struct smbXcli_session *session);
diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index 57915d9..e03e843 100644
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -278,6 +278,12 @@ enum smb_signing_setting {
CAP_LARGE_WRITEX | \
0)
+/*
+ * The action flags in the SMB session setup response
+ */
+#define SMB_SETUP_GUEST 0x0001
+#define SMB_SETUP_USE_LANMAN_KEY 0x0002
+
/* Client-side offline caching policy types */
enum csc_policy {
CSC_POLICY_MANUAL=0,
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 6ca1036..17a2bbe 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -200,6 +200,19 @@ sub mk_krb5_conf($$)
forwardable = yes
allow_weak_crypto = yes
+";
+
+ if (defined($ctx->{supported_enctypes})) {
+ print KRB5CONF "
+ default_etypes = $ctx->{supported_enctypes}
+ default_as_etypes = $ctx->{supported_enctypes}
+ default_tgs_enctypes = $ctx->{supported_enctypes}
+ default_tkt_enctypes = $ctx->{supported_enctypes}
+ permitted_enctypes = $ctx->{supported_enctypes}
+";
+ }
+
+ print KRB5CONF "
--
Samba Shared Repository
More information about the samba-cvs
mailing list