[SCM] Samba Shared Repository - branch v4-3-stable updated

Karolin Seeger kseeger at samba.org
Mon May 2 07:55:01 UTC 2016


The branch, v4-3-stable has been updated
       via  8e71328 VERSION: Disable git snapshots for the 4.3.9 release.
       via  0508804 WHATSNEW: Add release date.
       via  8836adc WHATSNEW: Update release notes.
       via  b74285d s3:selftest: add smbclient_ntlm tests
       via  c41e187 selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP
       via  081faaf selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes
       via  ad67741 s3:test_smbclient_auth.sh: this script reqiures 5 arguments
       via  4ed0cba selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc
       via  51e4047 auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testing
       via  cdc3194 auth/spnego: add spnego:simulate_w2k option for testing
       via  d9ffc7e auth/ntlmssp: do map to guest checking after the authentication
       via  74afa66 s3:smbd: only mark real guest sessions with the GUEST flag
       via  9b40c33 s3:smbd: make use SMB_SETUP_GUEST constant
       via  4b4c1b5 libcli/security: implement SECURITY_GUEST
       via  71b49a4 s3:auth_builtin: anonymous authentication doesn't allow a password
       via  7b7826b s4:auth_anonymous: anonymous authentication doesn't allow a password
       via  ac8db7a auth/spnego: only try to verify the mechListMic if signing was negotiated.
       via  0e92263 s3:libsmb: use anonymous authentication via spnego if possible
       via  8df7d7d s3:libsmb: don't finish the gensec handshake for guest logins
       via  5d6e840 s3:libsmb: record the session setup action flags
       via  eeb8510 libcli/smb: add smbXcli_session_is_guest() helper function
       via  8373d89 libcli/smb: add SMB1 session setup action flags
       via  97368ad libcli/smb: add smb1cli_session_set_action() helper function
       via  f22870c libcli/smb: fix NULL pointer derreference in smbXcli_session_is_authenticated().
       via  70d8727 s3:libsmb: use password = NULL for anonymous connections
       via  1fbce2f auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections
       via  bde57cb auth/ntlmssp: don't require any flags in the ccache_resume code
       via  37cc6b5 auth/spnego: handle broken mechListMIC response from Windows 2000
       via  5593c60 auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR'
       via  66c2db4 s3:librpc:crypto:gse: increase debug level for gse_init_client().
       via  73f52ae lib:krb5_wrap:krb5_samba: increase debug level for smb_krb5_get_default_realm_from_ccache().
       via  33f1e55 s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff
       via  4c46c54 s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff
       via  c7e2669 Mask general purpose signals for notifyd.
       via  180cdd7 WHATSNEW: Start release notes for Samba 4.3.9.
       via  6eef281 configure: Don't check for inotify on illumos
       via  1050204 nwrap: Fix the build on Solaris
       via  d714633 smbd: Avoid large reads beyond EOF
       via  f8e6523 Fix the smb2_setinfo to handle FS info types and FSQUOTA infolevel
       via  810dca6 libads: record session expiry for spnego sasl binds
       via  9944a5a s3:wscript: pylibsmb depends on pycredentials
       via  8c295c3 libsmb/pysmb: add pytalloc-util dependency to fix the build.
       via  828a9b4 build: mark explicit dependencies on pytalloc-util
       via  b174304 pydsdb: Fix returning of ldb.MessageElement.
       via  e25a6f3 pydsdb: Also accept ldb.MessageElement values to dsdb routines
       via  bf61978 vfs_catia: Fix bug 11827, memleak
       via  63614b5 s3: libsmb: Fix error where short name length was read as 2 bytes, should be 1.
       via  1a9fd08 vfs_acl_common: avoid setting POSIX ACLs if "ignore system acls" is set
       via  a74212b tevent: version 0.9.28
       via  1739d34 lib: tevent: Fix memory leak reported by Pavel Březina <pbrezina at redhat.com> when old signal action restored.
       via  62e1382 tevent: version 0.9.27
       via  2d7ac27 Fix ETIME handling for Solaris event ports.
       via  2fe44e7 tevent: Only set public headers field when installing as a public library.
       via  ad39420 Simplify handling of dependencies on external libraries in test_headers.
       via  ebed8f3 Set LD_LIBRARY_PATH during tests.
       via  2c626fa lib: tevent: Whitespace cleanup.
       via  0cd4ddf lib: tevent: Fix bug in poll backend - poll_event_loop_poll()
       via  8f31190 tevent: version 0.9.26
       via  f4add9a lib: tevent: docs: Add tutorial on thread usage.
       via  60199e2 lib: tevent: tests: Add a second thread test that does request/reply.
       via  d96e00e lib: tevent: Initial test of tevent threaded context code.
       via  fc4d726 lib: tevent: Initial checkin of threaded tevent context calling code.
       via  ec56ef8 libcli/smb: fix BUFFER_OVERFLOW handling in tstream_smbXcli_np
       via  9cf45fe libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb1cli_readx*
       via  91f335b libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb2cli_query_info*
       via  cc64ed9 libcli/smb: correctly handle STATUS_BUFFER_OVERFLOW in smb2cli_read*
       via  af6bd5c libcli/smb: make sure we have a body size of 0x31 before dereferencing an ioctl response
       via  cd143a4 VERSION: Bump version up to 4.3.9
       via  5bd1f11 Merge tag 'samba-4.3.8' into v4-3-test
       via  ca09ef7 build: fix build when --without-quota specified
       via  0380ec6 build: fix disk-free quota support on Solaris 10
       via  12c0248 s3:winbindd: don't unclude two '
       via  596a51e smbd: Only check dev/inode in open_directory, not the full stat()
       via  b28fea7 VERSION: Bump version up to 4.3.7...
       via  5c5810e Merge tag 'samba-4.3.6' into v4-3-test
       via  162efbf passdb: add linefeed to debug message
       via  3137519 smbd: ignore SVHDX create context
       via  9e9bc07 winbindd: return trust parameters when listing trusts
       via  708fe69 winbindd: initialize foreign domain as AD based on trust
       via  22aa4d9 winbindd: introduce add_trusted_domain_from_tdc()
       via  7fd2e7f access based share enum: handle permission set in configuration files
       via  e42cd66 s3:libads: setup the msDS-SupportedEncryptionTypes attribute on ldap_add
       via  f37cb21 Real memeory leak(buildup) issue in loadparm.
       via  89b13fe docs: Add example for domain logins to smbspool man page.
       via  80a8453 libcli: Fix debug message, print sid string for new_ace trustee.
       via  150d1f6 VERSION: Bump version up to 4.3.6...
      from  4b4a2bd VERSION: Disable git snapshots for the 4.3.8 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-stable


- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 VERSION                                            |   2 +-
 WHATSNEW.txt                                       | 122 ++++++-
 auth/gensec/spnego.c                               |  66 +++-
 auth/ntlmssp/gensec_ntlmssp_server.c               |  15 +-
 auth/ntlmssp/ntlmssp_client.c                      |  15 +-
 auth/ntlmssp/ntlmssp_server.c                      |  40 +++
 docs-xml/manpages/smbspool.8.xml                   |   5 +
 lib/krb5_wrap/krb5_samba.c                         |   4 +-
 lib/nss_wrapper/wscript                            |   2 +-
 .../ABI/{tevent-0.9.24.sigs => tevent-0.9.26.sigs} |   2 +
 .../ABI/{tevent-0.9.24.sigs => tevent-0.9.27.sigs} |   2 +
 .../ABI/{tevent-0.9.24.sigs => tevent-0.9.28.sigs} |   2 +
 lib/tevent/doc/tevent_thread.dox                   | 322 ++++++++++++++++++
 lib/tevent/doc/tevent_tutorial.dox                 |   2 +
 lib/tevent/testsuite.c                             | 330 ++++++++++++++++++
 lib/tevent/tevent.h                                |  52 +++
 lib/tevent/tevent_epoll.c                          |   6 +-
 lib/tevent/tevent_poll.c                           |   5 +-
 lib/tevent/tevent_port.c                           |  22 +-
 lib/tevent/tevent_signal.c                         |   4 +
 lib/tevent/tevent_threads.c                        | 370 +++++++++++++++++++++
 lib/tevent/wscript                                 |   9 +-
 libcli/security/secdesc.c                          |   2 +-
 libcli/security/security_token.c                   |   5 +
 libcli/security/security_token.h                   |   2 +
 libcli/security/session.c                          |   4 +
 libcli/security/session.h                          |   1 +
 libcli/smb/smb1cli_read.c                          |  53 ++-
 libcli/smb/smb2cli_ioctl.c                         |  84 ++---
 libcli/smb/smb2cli_query_info.c                    |  24 +-
 libcli/smb/smb2cli_read.c                          |  26 +-
 libcli/smb/smbXcli_base.c                          |  35 ++
 libcli/smb/smbXcli_base.h                          |   3 +
 libcli/smb/smb_constants.h                         |   6 +
 libcli/smb/tstream_smbXcli_np.c                    |  13 +-
 python/samba/dbchecker.py                          |   4 +-
 selftest/target/Samba.pm                           |  13 +
 selftest/target/Samba4.pm                          |  23 +-
 source3/auth/auth_builtin.c                        |  47 ++-
 source3/libads/ldap.c                              |  26 ++
 source3/libads/sasl.c                              |  13 +-
 source3/libnet/libnet_join.c                       |  65 ----
 source3/librpc/crypto/gse.c                        |   2 +-
 source3/libsmb/cliconnect.c                        |  92 +++--
 source3/libsmb/clilist.c                           |   2 +-
 source3/modules/vfs_acl_common.c                   | 147 +++++---
 source3/modules/vfs_catia.c                        |   6 +-
 source3/param/loadparm.c                           |  40 ++-
 source3/passdb/passdb.c                            |   3 +-
 source3/passdb/wscript_build                       |   2 +-
 source3/rpc_server/srvsvc/srv_srvsvc_nt.c          |  17 +-
 source3/script/tests/test_smbclient_auth.sh        |   2 +-
 source3/script/tests/test_smbclient_ntlm.sh        |  40 +++
 source3/selftest/tests.py                          |   4 +-
 source3/smbd/globals.h                             |   7 +
 source3/smbd/notifyd/notifyd.c                     |   4 +
 source3/smbd/open.c                                |  14 +-
 source3/smbd/reply.c                               |  10 +
 source3/smbd/sesssetup.c                           |  12 +-
 source3/smbd/smb2_create.c                         |  15 -
 source3/smbd/smb2_sesssetup.c                      |   7 +-
 source3/smbd/smb2_setinfo.c                        |  18 +
 source3/smbd/trans2.c                              | 143 +++++---
 source3/winbindd/winbindd_misc.c                   |  13 +-
 source3/winbindd/winbindd_util.c                   | 153 ++++++---
 source3/wscript                                    |  35 +-
 source3/wscript_build                              |   5 +-
 source4/auth/gensec/gensec_tstream.c               |   6 +-
 source4/auth/ntlm/auth_anonymous.c                 |  30 ++
 source4/dsdb/pydsdb.c                              | 162 +++++----
 source4/lib/messaging/wscript_build                |   2 +-
 source4/libcli/wscript_build                       |   2 +-
 source4/libnet/wscript_build                       |   2 +-
 source4/ntvfs/sysdep/wscript_configure             |  13 +-
 source4/param/wscript_build                        |   2 +-
 tests/oldquotas.c                                  | 174 ++++++++++
 testsuite/headers/wscript_build                    |  13 +-
 77 files changed, 2540 insertions(+), 507 deletions(-)
 copy lib/tevent/ABI/{tevent-0.9.24.sigs => tevent-0.9.26.sigs} (97%)
 copy lib/tevent/ABI/{tevent-0.9.24.sigs => tevent-0.9.27.sigs} (97%)
 copy lib/tevent/ABI/{tevent-0.9.24.sigs => tevent-0.9.28.sigs} (97%)
 create mode 100644 lib/tevent/doc/tevent_thread.dox
 create mode 100644 lib/tevent/tevent_threads.c
 create mode 100755 source3/script/tests/test_smbclient_ntlm.sh
 create mode 100644 tests/oldquotas.c


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 3339e83..31ec5b1 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 435ae45..4e461bc 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,118 @@
                    =============================
+                   Release Notes for Samba 4.3.9
+                            May 2, 2016
+                   =============================
+
+
+This is the latest stable release of Samba 4.3.
+
+This release fixes some regressions introduced by the last security fixes.
+Please see bug https://bugzilla.samba.org/show_bug.cgi?id=11849 for a list of
+bugs addressing these regressions and more information.
+
+
+Changes since 4.3.8:
+--------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 11742: lib: tevent: Fix memory leak when old signal action restored.
+   * BUG 11771: lib: tevent: Fix memory leak when old signal action restored.
+   * BUG 11822: s3: libsmb: Fix error where short name length was read as 2
+     bytes, should be 1.
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 11780: smbd: Only check dev/inode in open_directory, not the full
+     stat().
+   * BUG 11789: pydsdb: Fix returning of ldb.MessageElement.
+
+o  Berend De Schouwer <berend.de.schouwer at gmail.com>
+   * BUG 11643: docs: Add example for domain logins to smbspool man page.
+
+o  Günther Deschner <gd at samba.org>
+   * BUG 11789: libsmb/pysmb: Add pytalloc-util dependency to fix the build.
+
+o  Alberto Maria Fiaschi <alberto.fiaschi at estar.toscana.it>
+   * BUG 8093: access based share enum: Handle permission set in configuration
+      files.
+
+o  Volker Lendecke <vl at samba.org>
+   * BUG 11816: nwrap: Fix the build on Solaris.
+   * BUG 11827: vfs_catia: Fix memleak.
+   * BUG 11878: smbd: Avoid large reads beyond EOF.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 11622: libcli/smb: Make sure we have a body size of 0x31 before
+     dereferencing an ioctl response.
+   * BUG 11623: libcli/smb: Fix BUFFER_OVERFLOW handling in tstream_smbXcli_np.
+   * BUG 11755: s3:libads: Setup the msDS-SupportedEncryptionTypes attribute on
+     ldap_add.
+   * BUG 11771: tevent: Version 0.9.28. Fix memory leak when old signal action
+     restored.
+   * BUG 11782: s3:winbindd: Don't include two '\0' at the end of the domain
+     list.
+   * BUG 11789: s3:wscript: pylibsmb depends on pycredentials.
+   * BUG 11841: Fix NT_STATUS_ACCESS_DENIED when accessing Windows public share.
+   * BUG 11847: Only validate MIC if "map to guest" is not being used.
+   * BUG 11849: auth/ntlmssp: Add ntlmssp_{client,server}:force_old_spnego
+     option for testing.
+   * BUG 11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN.
+   * BUG 11858: Allow anonymous smb connections.
+   * BUG 11870: Fix ads_sasl_spnego_gensec_bind(KRB5).
+   * BUG 11872: Fix 'wbinfo -u' and 'net ads search'.
+
+o  Noel Power <noel.power at suse.com>
+   * BUG 11738: libcli: Fix debug message, print sid string for new_ace trustee.
+
+o  Garming Sam <garming at catalyst.net.nz>
+   * BUG 11789: build: Mark explicit dependencies on pytalloc-util.
+
+o  Partha Sarathi <partha at exablox.com>
+   * BUG 11819: Fix the smb2_setinfo to handle FS info types and FSQUOTA
+     infolevel.
+
+o  Jorge Schrauwen <sjorge at blackdot.be>
+   * BUG 11816: configure: Don't check for inotify on illumos.
+
+o  Uri Simchoni <uri at samba.org>
+   * BUG 11691: winbindd: Return trust parameters when listing trusts.
+   * BUG 11753: smbd: Ignore SVHDX create context.
+   * BUG 11763: passdb: Add linefeed to debug message.
+   * BUG 11788: build: Fix disk-free quota support on Solaris 10.
+   * BUG 11798: build: Fix build when '--without-quota' specified.
+   * BUG 11806: vfs_acl_common: Avoid setting POSIX ACLs if "ignore system acls"
+     is set.
+   * BUG 11852: libads: Record session expiry for spnego sasl binds.
+
+o  Hemanth Thummala <hemanth.thummala at nutanix.com>
+   * BUG 11740: Real memory leak(buildup) issue in loadparm.
+   * BUG 11840: Mask general purpose signals for notifyd.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+
+                   =============================
                    Release Notes for Samba 4.3.8
                            April 12, 2016
                    =============================
@@ -16,8 +130,9 @@ o  Stefan Metzmacher <metze at samba.org>
    * Bug 11804 - prerequisite backports for the security release on
      April 12th, 2016
 
-Release notes for the original 4.3.7 release follows:
------------------------------------------------------
+
+----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 4.3.7
@@ -555,8 +670,7 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
 
 
                    =============================
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 1d4b172..6a82b5f 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -59,6 +59,8 @@ struct spnego_state {
 	bool needs_mic_check;
 	bool done_mic_check;
 
+	bool simulate_w2k;
+
 	/*
 	 * The following is used to implement
 	 * the update token fragmentation
@@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
 	spnego_state->out_max_length = gensec_max_update_size(gensec_security);
 	spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 
+	spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+						"spnego", "simulate_w2k", false);
+
 	gensec_security->private_data = spnego_state;
 	return NT_STATUS_OK;
 }
@@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi
 	spnego_state->out_max_length = gensec_max_update_size(gensec_security);
 	spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 
+	spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+						"spnego", "simulate_w2k", false);
+
 	gensec_security->private_data = spnego_state;
 	return NT_STATUS_OK;
 }
@@ -661,7 +669,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
 	talloc_free(spnego_state->sub_sec_security);
 	spnego_state->sub_sec_security = NULL;
 
-	DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
+	DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
 	return nt_status;
 }
 
@@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 								     spnego.negTokenInit.mechToken, 
 								     &unwrapped_out);
 
+			if (spnego_state->simulate_w2k) {
+				/*
+				 * Windows 2000 returns the unwrapped token
+				 * also in the mech_list_mic field.
+				 *
+				 * In order to verify our client code,
+				 * we need a way to have a server with this
+				 * broken behaviour
+				 */
+				mech_list_mic = unwrapped_out;
+			}
+
 			nt_status = gensec_spnego_server_negTokenTarg(spnego_state,
 								      out_mem_ctx,
 								      nt_status,
 								      unwrapped_out,
-								      null_data_blob,
+								      mech_list_mic,
 								      out);
 
 			spnego_free_data(&spnego);
@@ -885,6 +905,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 	case SPNEGO_SERVER_TARG:
 	{
 		NTSTATUS nt_status;
+		bool have_sign = true;
 		bool new_spnego = false;
 
 		if (!in.length) {
@@ -947,18 +968,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 			goto server_response;
 		}
 
+		have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+						GENSEC_FEATURE_SIGN);
+		if (spnego_state->simulate_w2k) {
+			have_sign = false;
+		}
 		new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
 						 GENSEC_FEATURE_NEW_SPNEGO);
 		if (spnego.negTokenTarg.mechListMIC.length > 0) {
 			new_spnego = true;
 		}
 
-		if (new_spnego) {
+		if (have_sign && new_spnego) {
 			spnego_state->needs_mic_check = true;
 			spnego_state->needs_mic_sign = true;
 		}
 
-		if (spnego.negTokenTarg.mechListMIC.length > 0) {
+		if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) {
 			nt_status = gensec_check_packet(spnego_state->sub_sec_security,
 							spnego_state->mech_types.data,
 							spnego_state->mech_types.length,
@@ -1078,6 +1104,24 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 		}
 
 		if (spnego.negTokenTarg.mechListMIC.length > 0) {
+			DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC;
+			const DATA_BLOB *r = &spnego.negTokenTarg.responseToken;
+
+			/*
+			 * Windows 2000 has a bug, it repeats the
+			 * responseToken in the mechListMIC field.
+			 */
+			if (m->length == r->length) {
+				int cmp;
+
+				cmp = memcmp(m->data, r->data, m->length);
+				if (cmp == 0) {
+					data_blob_free(m);
+				}
+			}
+		}
+
+		if (spnego.negTokenTarg.mechListMIC.length > 0) {
 			if (spnego_state->no_response_expected) {
 				spnego_state->needs_mic_check = true;
 			}
@@ -1124,8 +1168,14 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 		if (spnego_state->no_response_expected &&
 		    !spnego_state->done_mic_check)
 		{
+			bool have_sign = true;
 			bool new_spnego = false;
 
+			have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+							GENSEC_FEATURE_SIGN);
+			if (spnego_state->simulate_w2k) {
+				have_sign = false;
+			}
 			new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
 							 GENSEC_FEATURE_NEW_SPNEGO);
 
@@ -1152,16 +1202,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 			}
 
 			if (spnego_state->mic_requested) {
-				bool sign;
-
-				sign = gensec_have_feature(spnego_state->sub_sec_security,
-							   GENSEC_FEATURE_SIGN);
-				if (sign) {
+				if (have_sign) {
 					new_spnego = true;
 				}
 			}
 
-			if (new_spnego) {
+			if (have_sign && new_spnego) {
 				spnego_state->needs_mic_check = true;
 				spnego_state->needs_mic_sign = true;
 			}
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index 6147b14..08a8c8f 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -130,20 +130,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
 		ntlmssp_state->allow_lm_key = true;
 	}
 
-	if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) {
-		/*
-		 * map to guest is not secure anyway, so
-		 * try to make it work and don't try to
-		 * negotiate new_spnego and MIC checking
-		 */
-		ntlmssp_state->force_old_spnego = true;
-	}
+	ntlmssp_state->force_old_spnego = false;
 
-	if (role == ROLE_ACTIVE_DIRECTORY_DC) {
+	if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) {
 		/*
-		 * map to guest is not supported on an AD DC.
+		 * For testing Windows 2000 mode
 		 */
-		ntlmssp_state->force_old_spnego = false;
+		ntlmssp_state->force_old_spnego = true;
 	}
 
 	ntlmssp_state->neg_flags =
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index b419615..5edd5f4 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
 
 	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
 		gensec_security->want_features |= GENSEC_FEATURE_SIGN;
-
-		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
 	}
 
 	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
 		gensec_security->want_features |= GENSEC_FEATURE_SEAL;
-
-		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
-		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
 	}
 
-	ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
 	ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
+	ntlmssp_state->required_flags = 0;
 
 	if (DEBUGLEVEL >= 10) {
 		struct NEGOTIATE_MESSAGE *negotiate = talloc(
@@ -789,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 
 	ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
 
+	ntlmssp_state->force_old_spnego = gensec_setting_bool(gensec_security->settings,
+						"ntlmssp_client", "force_old_spnego", false);
+
 	ntlmssp_state->expected_state = NTLMSSP_INITIAL;
 
 	ntlmssp_state->neg_flags =
@@ -848,8 +846,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 		 * Without this, Windows will not create the master key
 		 * that it thinks is only used for NTLMSSP signing and
 		 * sealing.  (It is actually pulled out and used directly)
+		 *
+		 * We don't require this here as some servers (e.g. NetAPP)
+		 * doesn't support this.
 		 */
-		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 	}
 	if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
 		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 17d5ade..ddee875 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -31,6 +31,9 @@
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_internal.h"
 #include "auth/common_auth.h"
+#include "param/param.h"
+#include "param/loadparm.h"
+#include "libcli/security/session.h"
 
 /**
  * Determine correct target name flags for reply, given server role
@@ -700,6 +703,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
 	struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
 	struct auth4_context *auth_context = gensec_security->auth_context;
 	NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
+	struct auth_session_info *session_info = NULL;
 	struct auth_usersupplied_info *user_info;
 
 	user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
@@ -736,6 +740,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
 
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
+	if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST
+	    && auth_context->generate_session_info != NULL)
+	{
+		NTSTATUS tmp_status;
+
+		/*
+		 * We need to check if the auth is anonymous or mapped to guest
+		 */
+		tmp_status = auth_context->generate_session_info(auth_context, mem_ctx,
+								 gensec_ntlmssp->server_returned_info,
+								 gensec_ntlmssp->ntlmssp_state->user,
+								 AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
+								 &session_info);
+		if (!NT_STATUS_IS_OK(tmp_status)) {
+			/*
+			 * We don't care about failures,
+			 * the worst result is that we try MIC checking
+			 * for a map to guest authentication.
+			 */
+			TALLOC_FREE(session_info);
+		}
+	}
+
+	if (session_info != NULL) {
+		if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
+			/*
+			 * Anonymous and GUEST are not secure anyway.
+			 * avoid new_spnego and MIC checking.
+			 */
+			ntlmssp_state->new_spnego = false;
+			ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+			ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+		}
+		TALLOC_FREE(session_info);
+	}
+
 	talloc_steal(mem_ctx, user_session_key->data);
 	talloc_steal(mem_ctx, lm_session_key->data);
 
diff --git a/docs-xml/manpages/smbspool.8.xml b/docs-xml/manpages/smbspool.8.xml
index 2f2de08..5d619c4 100644
--- a/docs-xml/manpages/smbspool.8.xml
+++ b/docs-xml/manpages/smbspool.8.xml
@@ -50,6 +50,7 @@
 		<listitem><para>smb://server[:port]/printer</para></listitem>
 		<listitem><para>smb://workgroup/server[:port]/printer</para></listitem>
 		<listitem><para>smb://username:password@server[:port]/printer</para></listitem>
+		<listitem><para>smb://domain\username:password@server[:port]/printer</para></listitem>
 		<listitem><para>smb://username:password@workgroup/server[:port]/printer</para></listitem>
 	</itemizedlist>
 
@@ -62,6 +63,10 @@
 	pass the URI in argv[0], while shell scripts must set the 
 	<envar>DEVICE_URI</envar> environment variable prior to
 	running smbspool.</para>
+
+	<para>smbspool will accept URI escaped characters.  This allows setting
+	a domain in the username, or space in the printer name. For example
+	smb://domain%5Cusername/printer%20name</para>
 </refsect1>
 
 <refsect1>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 22975c1..652e811 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2388,12 +2388,12 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
 		"Trying to read krb5 cache: %s\n",
 		krb5_cc_default_name(ctx)));
 	if (krb5_cc_default(ctx, &cc)) {
-		DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+		DEBUG(5,("kerberos_get_default_realm_from_ccache: "
 			"failed to read default cache\n"));
 		goto out;
 	}
 	if (krb5_cc_get_principal(ctx, cc, &princ)) {
-		DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+		DEBUG(5,("kerberos_get_default_realm_from_ccache: "
 			"failed to get default principal\n"));


-- 
Samba Shared Repository



More information about the samba-cvs mailing list