[SCM] Samba Shared Repository - branch v4-3-test updated
Stefan Metzmacher
metze at samba.org
Fri Apr 29 11:03:04 UTC 2016
The branch, v4-3-test has been updated
via b74285d s3:selftest: add smbclient_ntlm tests
via c41e187 selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP
via 081faaf selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes
via ad67741 s3:test_smbclient_auth.sh: this script reqiures 5 arguments
via 4ed0cba selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc
via 51e4047 auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testing
via cdc3194 auth/spnego: add spnego:simulate_w2k option for testing
via d9ffc7e auth/ntlmssp: do map to guest checking after the authentication
via 74afa66 s3:smbd: only mark real guest sessions with the GUEST flag
via 9b40c33 s3:smbd: make use SMB_SETUP_GUEST constant
via 4b4c1b5 libcli/security: implement SECURITY_GUEST
via 71b49a4 s3:auth_builtin: anonymous authentication doesn't allow a password
via 7b7826b s4:auth_anonymous: anonymous authentication doesn't allow a password
via ac8db7a auth/spnego: only try to verify the mechListMic if signing was negotiated.
via 0e92263 s3:libsmb: use anonymous authentication via spnego if possible
via 8df7d7d s3:libsmb: don't finish the gensec handshake for guest logins
via 5d6e840 s3:libsmb: record the session setup action flags
via eeb8510 libcli/smb: add smbXcli_session_is_guest() helper function
via 8373d89 libcli/smb: add SMB1 session setup action flags
via 97368ad libcli/smb: add smb1cli_session_set_action() helper function
via f22870c libcli/smb: fix NULL pointer derreference in smbXcli_session_is_authenticated().
via 70d8727 s3:libsmb: use password = NULL for anonymous connections
via 1fbce2f auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections
via bde57cb auth/ntlmssp: don't require any flags in the ccache_resume code
via 37cc6b5 auth/spnego: handle broken mechListMIC response from Windows 2000
via 5593c60 auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR'
via 66c2db4 s3:librpc:crypto:gse: increase debug level for gse_init_client().
via 73f52ae lib:krb5_wrap:krb5_samba: increase debug level for smb_krb5_get_default_realm_from_ccache().
via 33f1e55 s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff
via 4c46c54 s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff
via c7e2669 Mask general purpose signals for notifyd.
from 180cdd7 WHATSNEW: Start release notes for Samba 4.3.9.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-test
- Log -----------------------------------------------------------------
commit b74285d759d133a91cd84d3bfe115e01b09bbc92
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 25 16:12:47 2016 +0200
s3:selftest: add smbclient_ntlm tests
We test all combinations of NT1 with and without spnego and SMB3
for user, anonymous and guest authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Apr 28 20:16:45 CEST 2016 on sn-devel-144
(cherry picked from commit eee88e07b3e68efb467b390536eea4155b5ced7e)
Autobuild-User(v4-3-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-3-test): Fri Apr 29 13:02:37 CEST 2016 on sn-devel-104
commit c41e18744b6c78510e4e867cfdd5cc51e8aca5e3
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 25 16:02:22 2016 +0200
selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 4de43387235cb17a185fdd1afd658972e8c174ef)
commit 081faaf0717eaa571a547b79a820ee7a95a96df3
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 27 01:00:14 2016 +0200
selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 587b5db7979c1ca1055f5bfd81ab79606cd3c2dd)
commit ad6774118805e45947ee0cb2ffbc3b4a33c0ff21
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 26 11:33:52 2016 +0200
s3:test_smbclient_auth.sh: this script reqiures 5 arguments
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 70910334caa176bf98fece7d638ed599979dc173)
commit 4ed0cba706db91afa26c80d8ac56d0165483a6ef
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 26 08:50:00 2016 +0200
selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit b8055cb42cadf48367867213a35635f3391c9b8d)
commit 51e404771d3a5a3482b6ebcf314bc50f96578e15
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 25 15:58:27 2016 +0200
auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 7a2cb2c97611171613fc677a534277839348c56f)
commit cdc31949346b8b7cb19fe864fa1c19187c98c8aa
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 25 14:45:55 2016 +0200
auth/spnego: add spnego:simulate_w2k option for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit db9c01a51975a0a3ec2564357617958c2f466091)
commit d9ffc7eedb1e71fb6bdc82fc1b972432cff32921
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 20 18:27:34 2016 +0200
auth/ntlmssp: do map to guest checking after the authentication
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit d667520568996471b55007a42b503edbabb1eee0)
commit 74afa66799f821f8947bf69bf5a260b1e9d6f43a
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 20 16:34:28 2016 +0200
s3:smbd: only mark real guest sessions with the GUEST flag
Real anonymous sessions don't get it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(similar to commit 79a71545bfc87525c6ba6c8fe9fa7d8a9da33441)
commit 9b40c33ffe8f301ba374a3663624bcd9c8452b95
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 18 17:36:56 2016 +0200
s3:smbd: make use SMB_SETUP_GUEST constant
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 25ce97892ad3ce5028e4dbbbdd844ef6619ac396)
commit 4b4c1b56c9e195fa3aca6bfebb2ab0c346d683b9
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 20 16:29:42 2016 +0200
libcli/security: implement SECURITY_GUEST
SECURITY_GUEST is not exactly the same as SECURITY_ANONYMOUS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 837e6176329330893d5a1e4ce4ac67dbac758e56)
commit 71b49a4d86ff14f28231821bdc66c6f6eaf103a4
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 27 01:48:32 2016 +0200
s3:auth_builtin: anonymous authentication doesn't allow a password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit ead483b0c0ec746c0869162024c97f2e08df7f4b)
commit 7b7826b2298b9e2a8d8673dc09916759a117b659
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 27 01:44:56 2016 +0200
s4:auth_anonymous: anonymous authentication doesn't allow a password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit d247dceaaab24b568425f2360e40f5e91be452cc)
commit ac8db7a20cda3b8e3903213118eb467a691bc8ea
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 22 10:04:38 2016 +0200
auth/spnego: only try to verify the mechListMic if signing was negotiated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 65462958522baee6eedcedd4193cfcc8cf0f510e)
commit 0e922638a29529e00a6a315e2a14c74d11d7dac0
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 19 07:33:03 2016 +0200
s3:libsmb: use anonymous authentication via spnego if possible
This makes the authentication consistent between
SMB1 with CAP_EXTENDED_SECURITY (introduced in Windows 2000)
and SNB2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit e72ad193a53e20b769f798d02c0610f91859bd38)
commit 8df7d7d183d04f46d98a5d45b3c74d8169b7a834
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 19 07:20:28 2016 +0200
s3:libsmb: don't finish the gensec handshake for guest logins
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit fa5799207e55ee8e329f36f784d027845eaf0e34)
commit 5d6e840f60d6579a251e7cac01d1ec50e054ffc4
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 19 07:19:19 2016 +0200
s3:libsmb: record the session setup action flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 02c902103521e5a2b1d221db83e6c59d0ce31099)
commit eeb85100076833f60f4cd066e7df7139054e5071
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 18 17:38:46 2016 +0200
libcli/smb: add smbXcli_session_is_guest() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 8f4a4bec089b46bbeb0e0f37bb682acb88702bf2)
commit 8373d890036475ae594ae1d8e23b273e221c30eb
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 18 17:34:21 2016 +0200
libcli/smb: add SMB1 session setup action flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit cceaa61cf064926baca6db4b303d34ea90d40d52)
commit 97368ad80e84e0b68152d57180484c3fbde5ccc1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 18 17:33:11 2016 +0200
libcli/smb: add smb1cli_session_set_action() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit e6f9e176f2bb0e3e7451ac58e84ff55328219fcd)
commit f22870c8c052a36fdfb1e15a3e90c521676e1ac7
Author: Günther Deschner <gd at samba.org>
Date: Wed Apr 20 20:09:53 2016 +0200
libcli/smb: fix NULL pointer derreference in smbXcli_session_is_authenticated().
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 8e016ffeb01167bb8dec66cf9e4bc8605461c15a)
commit 70d8727403ef812f1caffea89b3ee06ee61b717e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 19 07:31:50 2016 +0200
s3:libsmb: use password = NULL for anonymous connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11858
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 53be47410236ef7c90fe895f49f300e3fe47a8bf)
commit 1fbce2f3cefed31cdf1caec11d27533b96ae55fc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 20 18:44:21 2016 +0200
auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections
Enforcement of SMB signing is done at the SMB layer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit d97b347d041f9b5c0aa71f35526cbefd56f3500b)
commit bde57cba8a22a135027144cfb101e964f600a0e5
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 20 18:44:21 2016 +0200
auth/ntlmssp: don't require any flags in the ccache_resume code
ntlmssp_client_challenge() already checks for required flags
before asking winbindd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 5041adb6657596399049a33e6a739a040b4df0db)
commit 37cc6b55cd1bc3b35ddd3c2a7f2497dd1337f55d
Author: Stefan Metzmacher <metze at samba.org>
Date: Sat Apr 23 05:17:25 2016 +0200
auth/spnego: handle broken mechListMIC response from Windows 2000
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11870
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 032c2733dea834e2c95178cdd0deb73e7bb13621)
commit 5593c60f9aa7a0bc99414cdd6b96fbd9f1fcaf32
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 28 12:26:16 2016 +0200
auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 9930bd17f2d39e4be1e125f83f7de489a94ea1d1)
commit 66c2db4c29c3fab2d057b9610fb4497877da80fc
Author: Günther Deschner <gd at samba.org>
Date: Thu Apr 28 12:58:33 2016 +0200
s3:librpc:crypto:gse: increase debug level for gse_init_client().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b6595037f3fcaafb957d9c08edfb89c72cded987)
commit 73f52ae6080fd918e5a5faf81513176d929f341c
Author: Günther Deschner <gd at samba.org>
Date: Thu Apr 28 12:58:10 2016 +0200
lib:krb5_wrap:krb5_samba: increase debug level for smb_krb5_get_default_realm_from_ccache().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 95b8b020626ba58a77a21e3da804bac2f0cf90b1)
commit 33f1e5512f16ad77bcf8364bdfbdb70ae5906c7b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 22 16:31:55 2016 +0200
s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 795e796658e6da0149c9c00ece7cca4ccc457717)
commit 4c46c54625aad2fb699af2db907f6ca2e69bb992
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 22 16:18:24 2016 +0200
s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Günther Deschner <gd at samba.org>
(cherry picked from commit 8704958fb3b212b401a8e7d94fdd9c627adbde0d)
commit c7e26693ecbce777a51056bb9a80e863e952b2b8
Author: Hemanth Thummala <hemanth.thummala at nutanix.com>
Date: Thu Apr 14 13:09:37 2016 -0700
Mask general purpose signals for notifyd.
Currently there is no signal handling available for notify daemon.
Signals like SIGHUP and SIGUSR1 can lead to terminate the notify
daemon. Masking these signals for notifyd as we are not handling them.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11840
Signed-off-by: Hemanth Thummala <hemanth.thummala at nutanix.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Fri Apr 15 15:31:19 CEST 2016 on sn-devel-144
(cherry picked from commit cade673f5fff8a578b8620149688ecc93e981205)
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/spnego.c | 66 +++++++++++++++++----
auth/ntlmssp/gensec_ntlmssp_server.c | 15 ++---
auth/ntlmssp/ntlmssp_client.c | 15 ++---
auth/ntlmssp/ntlmssp_server.c | 40 +++++++++++++
lib/krb5_wrap/krb5_samba.c | 4 +-
libcli/security/security_token.c | 5 ++
libcli/security/security_token.h | 2 +
libcli/security/session.c | 4 ++
libcli/security/session.h | 1 +
libcli/smb/smbXcli_base.c | 35 +++++++++++
libcli/smb/smbXcli_base.h | 3 +
libcli/smb/smb_constants.h | 6 ++
selftest/target/Samba.pm | 13 ++++
selftest/target/Samba4.pm | 23 +++++++-
source3/auth/auth_builtin.c | 47 ++++++++++++---
source3/libads/sasl.c | 4 +-
source3/librpc/crypto/gse.c | 2 +-
source3/libsmb/cliconnect.c | 92 +++++++++++++++++++++--------
source3/script/tests/test_smbclient_auth.sh | 2 +-
source3/script/tests/test_smbclient_ntlm.sh | 40 +++++++++++++
source3/selftest/tests.py | 4 +-
source3/smbd/notifyd/notifyd.c | 4 ++
source3/smbd/sesssetup.c | 12 ++--
source3/smbd/smb2_sesssetup.c | 7 ++-
source4/auth/gensec/gensec_tstream.c | 6 +-
source4/auth/ntlm/auth_anonymous.c | 30 ++++++++++
26 files changed, 403 insertions(+), 79 deletions(-)
create mode 100755 source3/script/tests/test_smbclient_ntlm.sh
Changeset truncated at 500 lines:
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 1d4b172..6a82b5f 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -59,6 +59,8 @@ struct spnego_state {
bool needs_mic_check;
bool done_mic_check;
+ bool simulate_w2k;
+
/*
* The following is used to implement
* the update token fragmentation
@@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k", false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k", false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -661,7 +669,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
talloc_free(spnego_state->sub_sec_security);
spnego_state->sub_sec_security = NULL;
- DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
+ DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
return nt_status;
}
@@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego.negTokenInit.mechToken,
&unwrapped_out);
+ if (spnego_state->simulate_w2k) {
+ /*
+ * Windows 2000 returns the unwrapped token
+ * also in the mech_list_mic field.
+ *
+ * In order to verify our client code,
+ * we need a way to have a server with this
+ * broken behaviour
+ */
+ mech_list_mic = unwrapped_out;
+ }
+
nt_status = gensec_spnego_server_negTokenTarg(spnego_state,
out_mem_ctx,
nt_status,
unwrapped_out,
- null_data_blob,
+ mech_list_mic,
out);
spnego_free_data(&spnego);
@@ -885,6 +905,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
case SPNEGO_SERVER_TARG:
{
NTSTATUS nt_status;
+ bool have_sign = true;
bool new_spnego = false;
if (!in.length) {
@@ -947,18 +968,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
goto server_response;
}
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
if (spnego.negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
@@ -1078,6 +1104,24 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC;
+ const DATA_BLOB *r = &spnego.negTokenTarg.responseToken;
+
+ /*
+ * Windows 2000 has a bug, it repeats the
+ * responseToken in the mechListMIC field.
+ */
+ if (m->length == r->length) {
+ int cmp;
+
+ cmp = memcmp(m->data, r->data, m->length);
+ if (cmp == 0) {
+ data_blob_free(m);
+ }
+ }
+ }
+
+ if (spnego.negTokenTarg.mechListMIC.length > 0) {
if (spnego_state->no_response_expected) {
spnego_state->needs_mic_check = true;
}
@@ -1124,8 +1168,14 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (spnego_state->no_response_expected &&
!spnego_state->done_mic_check)
{
+ bool have_sign = true;
bool new_spnego = false;
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
@@ -1152,16 +1202,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
if (spnego_state->mic_requested) {
- bool sign;
-
- sign = gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_SIGN);
- if (sign) {
+ if (have_sign) {
new_spnego = true;
}
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index 6147b14..08a8c8f 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -130,20 +130,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
ntlmssp_state->allow_lm_key = true;
}
- if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) {
- /*
- * map to guest is not secure anyway, so
- * try to make it work and don't try to
- * negotiate new_spnego and MIC checking
- */
- ntlmssp_state->force_old_spnego = true;
- }
+ ntlmssp_state->force_old_spnego = false;
- if (role == ROLE_ACTIVE_DIRECTORY_DC) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) {
/*
- * map to guest is not supported on an AD DC.
+ * For testing Windows 2000 mode
*/
- ntlmssp_state->force_old_spnego = false;
+ ntlmssp_state->force_old_spnego = true;
}
ntlmssp_state->neg_flags =
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index b419615..5edd5f4 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
gensec_security->want_features |= GENSEC_FEATURE_SIGN;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
gensec_security->want_features |= GENSEC_FEATURE_SEAL;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
- ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
+ ntlmssp_state->required_flags = 0;
if (DEBUGLEVEL >= 10) {
struct NEGOTIATE_MESSAGE *negotiate = talloc(
@@ -789,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
+ ntlmssp_state->force_old_spnego = gensec_setting_bool(gensec_security->settings,
+ "ntlmssp_client", "force_old_spnego", false);
+
ntlmssp_state->expected_state = NTLMSSP_INITIAL;
ntlmssp_state->neg_flags =
@@ -848,8 +846,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
* Without this, Windows will not create the master key
* that it thinks is only used for NTLMSSP signing and
* sealing. (It is actually pulled out and used directly)
+ *
+ * We don't require this here as some servers (e.g. NetAPP)
+ * doesn't support this.
*/
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 17d5ade..ddee875 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -31,6 +31,9 @@
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
#include "auth/common_auth.h"
+#include "param/param.h"
+#include "param/loadparm.h"
+#include "libcli/security/session.h"
/**
* Determine correct target name flags for reply, given server role
@@ -700,6 +703,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
struct auth4_context *auth_context = gensec_security->auth_context;
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
+ struct auth_session_info *session_info = NULL;
struct auth_usersupplied_info *user_info;
user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
@@ -736,6 +740,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
NT_STATUS_NOT_OK_RETURN(nt_status);
+ if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST
+ && auth_context->generate_session_info != NULL)
+ {
+ NTSTATUS tmp_status;
+
+ /*
+ * We need to check if the auth is anonymous or mapped to guest
+ */
+ tmp_status = auth_context->generate_session_info(auth_context, mem_ctx,
+ gensec_ntlmssp->server_returned_info,
+ gensec_ntlmssp->ntlmssp_state->user,
+ AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
+ &session_info);
+ if (!NT_STATUS_IS_OK(tmp_status)) {
+ /*
+ * We don't care about failures,
+ * the worst result is that we try MIC checking
+ * for a map to guest authentication.
+ */
+ TALLOC_FREE(session_info);
+ }
+ }
+
+ if (session_info != NULL) {
+ if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
+ /*
+ * Anonymous and GUEST are not secure anyway.
+ * avoid new_spnego and MIC checking.
+ */
+ ntlmssp_state->new_spnego = false;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+ }
+ TALLOC_FREE(session_info);
+ }
+
talloc_steal(mem_ctx, user_session_key->data);
talloc_steal(mem_ctx, lm_session_key->data);
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 22975c1..652e811 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2388,12 +2388,12 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
"Trying to read krb5 cache: %s\n",
krb5_cc_default_name(ctx)));
if (krb5_cc_default(ctx, &cc)) {
- DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+ DEBUG(5,("kerberos_get_default_realm_from_ccache: "
"failed to read default cache\n"));
goto out;
}
if (krb5_cc_get_principal(ctx, cc, &princ)) {
- DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+ DEBUG(5,("kerberos_get_default_realm_from_ccache: "
"failed to get default principal\n"));
goto out;
}
diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c
index 6812d42..2e5a87b 100644
--- a/libcli/security/security_token.c
+++ b/libcli/security/security_token.c
@@ -130,6 +130,11 @@ bool security_token_has_sid_string(const struct security_token *token, const cha
return ret;
}
+bool security_token_has_builtin_guests(const struct security_token *token)
+{
+ return security_token_has_sid(token, &global_sid_Builtin_Guests);
+}
+
bool security_token_has_builtin_administrators(const struct security_token *token)
{
return security_token_has_sid(token, &global_sid_Builtin_Administrators);
diff --git a/libcli/security/security_token.h b/libcli/security/security_token.h
index b8ca990..5c5b30b 100644
--- a/libcli/security/security_token.h
+++ b/libcli/security/security_token.h
@@ -51,6 +51,8 @@ bool security_token_has_sid(const struct security_token *token, const struct dom
bool security_token_has_sid_string(const struct security_token *token, const char *sid_string);
+bool security_token_has_builtin_guests(const struct security_token *token);
+
bool security_token_has_builtin_administrators(const struct security_token *token);
bool security_token_has_nt_authenticated_users(const struct security_token *token);
diff --git a/libcli/security/session.c b/libcli/security/session.c
index 0c32556..0fbb87d 100644
--- a/libcli/security/session.c
+++ b/libcli/security/session.c
@@ -38,6 +38,10 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
return SECURITY_ANONYMOUS;
}
+ if (security_token_has_builtin_guests(session_info->security_token)) {
+ return SECURITY_GUEST;
+ }
+
if (security_token_has_builtin_administrators(session_info->security_token)) {
return SECURITY_ADMINISTRATOR;
}
diff --git a/libcli/security/session.h b/libcli/security/session.h
index ee9187d..31e950e 100644
--- a/libcli/security/session.h
+++ b/libcli/security/session.h
@@ -24,6 +24,7 @@
enum security_user_level {
SECURITY_ANONYMOUS = 0,
+ SECURITY_GUEST = 1,
SECURITY_USER = 10,
SECURITY_RO_DOMAIN_CONTROLLER = 20,
SECURITY_DOMAIN_CONTROLLER = 30,
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 14b5992..419a2c0 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -167,6 +167,7 @@ struct smbXcli_session {
struct {
uint16_t session_id;
+ uint16_t action;
DATA_BLOB application_key;
bool protected_key;
} smb1;
@@ -5302,10 +5303,38 @@ struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
return session;
}
+bool smbXcli_session_is_guest(struct smbXcli_session *session)
+{
+ if (session == NULL) {
+ return false;
+ }
+
+ if (session->conn == NULL) {
+ return false;
+ }
+
+ if (session->conn->protocol >= PROTOCOL_SMB2_02) {
+ if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) {
+ return true;
+ }
+ return false;
+ }
+
+ if (session->smb1.action & SMB_SETUP_GUEST) {
+ return true;
+ }
+
+ return false;
+}
+
bool smbXcli_session_is_authenticated(struct smbXcli_session *session)
{
const DATA_BLOB *application_key;
+ if (session == NULL) {
+ return false;
+ }
+
if (session->conn == NULL) {
return false;
}
@@ -5373,6 +5402,12 @@ void smb1cli_session_set_id(struct smbXcli_session *session,
session->smb1.session_id = session_id;
}
+void smb1cli_session_set_action(struct smbXcli_session *session,
+ uint16_t action)
+{
+ session->smb1.action = action;
+}
+
NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session,
const DATA_BLOB _session_key)
{
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index e4cfb10..8b9851b 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -390,6 +390,7 @@ struct smbXcli_session *smbXcli_session_create(TALLOC_CTX *mem_ctx,
struct smbXcli_conn *conn);
struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
struct smbXcli_session *src);
+bool smbXcli_session_is_guest(struct smbXcli_session *session);
bool smbXcli_session_is_authenticated(struct smbXcli_session *session);
NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
TALLOC_CTX *mem_ctx,
@@ -398,6 +399,8 @@ void smbXcli_session_set_disconnect_expired(struct smbXcli_session *session);
uint16_t smb1cli_session_current_id(struct smbXcli_session* session);
void smb1cli_session_set_id(struct smbXcli_session* session,
uint16_t session_id);
+void smb1cli_session_set_action(struct smbXcli_session *session,
+ uint16_t action);
NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session,
const DATA_BLOB _session_key);
NTSTATUS smb1cli_session_protect_session_key(struct smbXcli_session *session);
diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index 04c9001..48b470e 100644
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -278,6 +278,12 @@ enum smb_signing_setting {
CAP_LARGE_WRITEX | \
0)
+/*
+ * The action flags in the SMB session setup response
+ */
+#define SMB_SETUP_GUEST 0x0001
+#define SMB_SETUP_USE_LANMAN_KEY 0x0002
+
/* Client-side offline caching policy types */
enum csc_policy {
CSC_POLICY_MANUAL=0,
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index e87acd3..1921928 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -200,6 +200,19 @@ sub mk_krb5_conf($$)
forwardable = yes
allow_weak_crypto = yes
+";
+
+ if (defined($ctx->{supported_enctypes})) {
+ print KRB5CONF "
+ default_etypes = $ctx->{supported_enctypes}
+ default_as_etypes = $ctx->{supported_enctypes}
+ default_tgs_enctypes = $ctx->{supported_enctypes}
+ default_tkt_enctypes = $ctx->{supported_enctypes}
+ permitted_enctypes = $ctx->{supported_enctypes}
+";
+ }
+
+ print KRB5CONF "
--
Samba Shared Repository
More information about the samba-cvs
mailing list