[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Wed May 16 01:27:02 UTC 2018 

The branch, master has been updated
       via  c7a3ce9 auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server
       via  fc1c5bd s4:selftest: run test_ldb_simple.sh with more auth options
       via  7f2bebf auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal option
      from  5ebe318 selftest: Make setexpiry test much more reliable

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit c7a3ce95ac4ce837d8fde36578b3b1f56c3ac2fa
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon May 7 14:50:27 2018 +0200

    auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server
    
    This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!"
    error messages, which were generated if the client only sends
    NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP
    connection.
    
    This fixes a regession in the combination of commits
    77adac8c3cd2f7419894d18db735782c9646a202 and
    3a0b835408a6efa339e8b34333906bfe3aacd6e3.
    
    We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end
    of the authentication (as a server, while we already
    do so at the beginning as a client).
    
    As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE
    (as an internal flag) in order to let us work as a
    Windows using NTLMSSP for LDAP. Even if only signing is
    negotiated during the authentication the following PDUs
    will still be encrypted if NTLMSSP is used. This is exactly the
    same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL.
    I guess it's a bug in Windows, but we have to reimplement that
    bug. Note this only applies to NTLMSSP and only to LDAP!
    Signing only works fine for LDAP with Kerberos
    or DCERPC and NTLMSSP.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144

commit fc1c5bd3be2c3f90eab2f31e43cf053f7ff13782
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed May 9 13:33:05 2018 +0200

    s4:selftest: run test_ldb_simple.sh with more auth options
    
    This demonstrates the broken GENSEC_FEATURE_LDAP_STYLE
    handling in our LDAP server.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 7f2bebf09cd8056b3f901dd9ff1fc9e9525f3e9d
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed May 9 13:30:13 2018 +0200

    auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal option
    
    This will be used to similate a Windows client only
    using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL
    on an LDAP connection, which is indicated internally by
    GENSEC_FEATURE_LDAP_STYLE.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 auth/ntlmssp/gensec_ntlmssp_server.c | 19 -------------------
 auth/ntlmssp/ntlmssp_client.c        | 24 +++++++++++++++++-------
 auth/ntlmssp/ntlmssp_server.c        |  8 ++++++++
 source4/selftest/tests.py            |  7 +++++++
 4 files changed, 32 insertions(+), 26 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index c0e6cff..ab92f4d 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -179,25 +179,6 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
 	ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 	ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
 
-	if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-	}
-	if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-
-		if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
-			/*
-			 * We need to handle NTLMSSP_NEGOTIATE_SIGN as
-			 * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
-			 * is requested.
-			 */
-			ntlmssp_state->force_wrap_seal = true;
-		}
-	}
-	if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
-		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
-	}
 
 	if (role == ROLE_STANDALONE) {
 		ntlmssp_state->server.is_standalone = true;
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index 7dcf235..ab406a2 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -869,13 +869,23 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 			 * is requested.
 			 */
 			ntlmssp_state->force_wrap_seal = true;
-			/*
-			 * We want also work against old Samba servers
-			 * which didn't had GENSEC_FEATURE_LDAP_STYLE
-			 * we negotiate SEAL too. We may remove this
-			 * in a few years. As all servers should have
-			 * GENSEC_FEATURE_LDAP_STYLE by then.
-			 */
+		}
+	}
+	if (ntlmssp_state->force_wrap_seal) {
+		bool ret;
+
+		/*
+		 * We want also work against old Samba servers
+		 * which didn't had GENSEC_FEATURE_LDAP_STYLE
+		 * we negotiate SEAL too. We may remove this
+		 * in a few years. As all servers should have
+		 * GENSEC_FEATURE_LDAP_STYLE by then.
+		 */
+		ret = gensec_setting_bool(gensec_security->settings,
+					  "ntlmssp_client",
+					  "ldap_style_send_seal",
+					  true);
+		if (ret) {
 			ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
 		}
 	}
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 37ed2bc..140e89d 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -1080,6 +1080,14 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security,
 	data_blob_free(&ntlmssp_state->challenge_blob);
 
 	if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+		if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) {
+			/*
+			 * We need to handle NTLMSSP_NEGOTIATE_SIGN as
+			 * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
+			 * is requested.
+			 */
+			ntlmssp_state->force_wrap_seal = true;
+		}
 		nt_status = ntlmssp_sign_init(ntlmssp_state);
 	}
 
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 88af607..9740118 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -113,6 +113,13 @@ for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]:
         '--option=clientldapsaslwrapping=plain',
         '--sign',
         '--encrypt',
+        '-k yes --option=clientldapsaslwrapping=plain',
+        '-k yes --sign',
+        '-k yes --encrypt',
+        '-k no --option=clientldapsaslwrapping=plain',
+        '-k no --sign --option=ntlmssp_client:ldap_style_send_seal=no',
+        '-k no --sign',
+        '-k no --encrypt',
     ]
 
     for auth_option in auth_options:


-- 
Samba Shared Repository

More information about the samba-cvs mailing list