Badlock regression fixes
Stefan Metzmacher
metze at samba.org
Thu Apr 28 01:21:17 UTC 2016
Hi,
here're some patches in order to fix regressions introduced
by the last security releases.
See
https://bugzilla.samba.org/show_bug.cgi?id=11849
https://bugzilla.samba.org/show_bug.cgi?id=11841
https://bugzilla.samba.org/show_bug.cgi?id=11847
https://bugzilla.samba.org/show_bug.cgi?id=11850
https://bugzilla.samba.org/show_bug.cgi?id=11858
https://bugzilla.samba.org/show_bug.cgi?id=11870
https://bugzilla.samba.org/show_bug.cgi?id=11872
I'm going to do some more tests tomorrow,
but you can already start to review the patches
for master.
Thanks!
metze
Btw: there're 3 additional patches for regressions
in the 3.6 backports, see the top 3 commits in
https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/security-2016-04-v3-6-base
https://git.samba.org/?p=asn/samba.git;a=commitdiff;h=82fa625540abf8b8ec23d43c41e2ca906a9928a5
https://git.samba.org/?p=asn/samba.git;a=commitdiff;h=0abef6992dc342d443137f8a2ac6c01f490cecee
https://git.samba.org/?p=asn/samba.git;a=commitdiff;h=2d0424e7bb2c30bf9049529b207c73b55370dfc8
-------------- next part --------------
From e580e26092266a7eb4d850feabb03a0b432db9b2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 22 Apr 2016 16:18:24 +0200
Subject: [PATCH 01/27] s4:gensec_tstream: allow wrapped messages up to a size
of 0xfffffff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/gensec/gensec_tstream.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/source4/auth/gensec/gensec_tstream.c b/source4/auth/gensec/gensec_tstream.c
index 92f4fa6..c828170 100644
--- a/source4/auth/gensec/gensec_tstream.c
+++ b/source4/auth/gensec/gensec_tstream.c
@@ -253,7 +253,11 @@ static int tstream_gensec_readv_next_vector(struct tstream_context *unix_stream,
msg_len = RIVAL(state->wrapped.hdr, 0);
- if (msg_len > 0x00FFFFFF) {
+ /*
+ * I got a Windows 2012R2 server responding with
+ * a message of 0x1b28a33.
+ */
+ if (msg_len > 0x0FFFFFFF) {
errno = EMSGSIZE;
return -1;
}
--
1.9.1
From 99b756cb58a2da9e01bf4bd0de1c4b4f9104b73c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 22 Apr 2016 16:31:55 +0200
Subject: [PATCH 02/27] s3:libads/sasl: allow wrapped messages up to a size of
0xfffffff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/libads/sasl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index b8d4527..10f63e8 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -328,7 +328,7 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
* arcfour-hmac-md5.
*/
ads->ldap.in.min_wrapped = MIN(ads->ldap.out.sig_size, 0x2C);
- ads->ldap.in.max_wrapped = max_wrapped;
+ ads->ldap.in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED;
status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security);
if (!ADS_ERR_OK(status)) {
DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n",
@@ -986,7 +986,7 @@ static ADS_STATUS ads_sasl_gssapi_do_bind(ADS_STRUCT *ads, const gss_name_t serv
ads->ldap.out.sig_size = max_msg_size - ads->ldap.out.max_unwrapped;
ads->ldap.in.min_wrapped = 0x2C; /* taken from a capture with LDAP unbind */
- ads->ldap.in.max_wrapped = max_msg_size;
+ ads->ldap.in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED;
status = ads_setup_sasl_wrapping(ads, &ads_sasl_gssapi_ops, context_handle);
if (!ADS_ERR_OK(status)) {
DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n",
--
1.9.1
From 9b871d6a4b1a134949d6be1c5dd1cc31faf414c6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sat, 23 Apr 2016 05:17:25 +0200
Subject: [PATCH 03/27] auth/spnego: handle broken mechListMIC response from
Windows 2000
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11870
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 2922478..f82d5bb 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1078,6 +1078,24 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC;
+ const DATA_BLOB *r = &spnego.negTokenTarg.responseToken;
+
+ /*
+ * Windows 2000 has a bug, it repeats the
+ * responseToken in the mechListMIC field.
+ */
+ if (m->length == r->length) {
+ int cmp;
+
+ cmp = memcmp(m->data, r->data, m->length);
+ if (cmp == 0) {
+ data_blob_free(m);
+ }
+ }
+ }
+
+ if (spnego.negTokenTarg.mechListMIC.length > 0) {
if (spnego_state->no_response_expected) {
spnego_state->needs_mic_check = true;
}
--
1.9.1
From 26678e3aeaba609142674a0745d0e8a90e502a80 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 20 Apr 2016 18:44:21 +0200
Subject: [PATCH 04/27] auth/ntlmssp: don't require any flags in the
ccache_resume code
ntlmssp_client_challenge() already checks for required flags
before asking winbindd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/ntlmssp/ntlmssp_client.c | 7 +------
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index b419615..8b367fc 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
gensec_security->want_features |= GENSEC_FEATURE_SIGN;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
gensec_security->want_features |= GENSEC_FEATURE_SEAL;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
- ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
+ ntlmssp_state->required_flags = 0;
if (DEBUGLEVEL >= 10) {
struct NEGOTIATE_MESSAGE *negotiate = talloc(
--
1.9.1
From 407f43f4008e18b06c545f5fa6544c0531457bc6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 20 Apr 2016 18:44:21 +0200
Subject: [PATCH 05/27] auth/ntlmssp: don't require NTLMSSP_SIGN for smb
connections
Enforcement of SMB signing is done at the SMB layer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/ntlmssp/ntlmssp_client.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index 8b367fc..b423f20 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -843,8 +843,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
* Without this, Windows will not create the master key
* that it thinks is only used for NTLMSSP signing and
* sealing. (It is actually pulled out and used directly)
+ *
+ * We don't require this here as some servers (e.g. NetAPP)
+ * doesn't support this.
*/
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
--
1.9.1
From e5267f4d14c58a966edad26aea3b9b81ecfbcdf9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 19 Apr 2016 07:31:50 +0200
Subject: [PATCH 06/27] s3:libsmb: use password = NULL for anonymous
connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11858
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/libsmb/cliconnect.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 2c351dd..b8a8c7a 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1325,6 +1325,17 @@ static struct tevent_req *cli_session_setup_gensec_send(
talloc_set_destructor(
state, cli_session_setup_gensec_state_destructor);
+ if (user == NULL || strlen(user) == 0) {
+ if (pass != NULL && strlen(pass) == 0) {
+ /*
+ * some callers pass "" as no password
+ *
+ * gensec only handles NULL as no password.
+ */
+ pass = NULL;
+ }
+ }
+
status = auth_generic_client_prepare(state, &state->auth_generic);
if (tevent_req_nterror(req, status)) {
return tevent_req_post(req, ev);
--
1.9.1
From 04614f32842204d38db6eef4f7cee1b32baf9f03 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
Date: Wed, 20 Apr 2016 20:09:53 +0200
Subject: [PATCH 07/27] libcli/smb: fix NULL pointer derreference in
smbXcli_session_is_authenticated().
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
---
libcli/smb/smbXcli_base.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 6a71766..e502dc8 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5305,6 +5305,10 @@ bool smbXcli_session_is_authenticated(struct smbXcli_session *session)
{
const DATA_BLOB *application_key;
+ if (session == NULL) {
+ return false;
+ }
+
if (session->conn == NULL) {
return false;
}
--
1.9.1
From e7a198be7aa752aca6994f8e077205738a3d484e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 18 Apr 2016 17:33:11 +0200
Subject: [PATCH 08/27] libcli/smb: add smb1cli_session_set_action() helper
function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
libcli/smb/smbXcli_base.c | 7 +++++++
libcli/smb/smbXcli_base.h | 2 ++
2 files changed, 9 insertions(+)
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index e502dc8..d8b85c8 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -167,6 +167,7 @@ struct smbXcli_session {
struct {
uint16_t session_id;
+ uint16_t action;
DATA_BLOB application_key;
bool protected_key;
} smb1;
@@ -5376,6 +5377,12 @@ void smb1cli_session_set_id(struct smbXcli_session *session,
session->smb1.session_id = session_id;
}
+void smb1cli_session_set_action(struct smbXcli_session *session,
+ uint16_t action)
+{
+ session->smb1.action = action;
+}
+
NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session,
const DATA_BLOB _session_key)
{
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index ffccd7e..8eb482a 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -398,6 +398,8 @@ void smbXcli_session_set_disconnect_expired(struct smbXcli_session *session);
uint16_t smb1cli_session_current_id(struct smbXcli_session* session);
void smb1cli_session_set_id(struct smbXcli_session* session,
uint16_t session_id);
+void smb1cli_session_set_action(struct smbXcli_session *session,
+ uint16_t action);
NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session,
const DATA_BLOB _session_key);
NTSTATUS smb1cli_session_protect_session_key(struct smbXcli_session *session);
--
1.9.1
From 9b572718f6f4959b34883c0c694c1a14c9256a79 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 18 Apr 2016 17:34:21 +0200
Subject: [PATCH 09/27] libcli/smb: add SMB1 session setup action flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
libcli/smb/smb_constants.h | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index 57915d9..e03e843 100644
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -278,6 +278,12 @@ enum smb_signing_setting {
CAP_LARGE_WRITEX | \
0)
+/*
+ * The action flags in the SMB session setup response
+ */
+#define SMB_SETUP_GUEST 0x0001
+#define SMB_SETUP_USE_LANMAN_KEY 0x0002
+
/* Client-side offline caching policy types */
enum csc_policy {
CSC_POLICY_MANUAL=0,
--
1.9.1
From 3579686412dc29a1ad93e7c29702347ccc8be8dd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 18 Apr 2016 17:38:46 +0200
Subject: [PATCH 10/27] libcli/smb: add smbXcli_session_is_guest() helper
function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
libcli/smb/smbXcli_base.c | 24 ++++++++++++++++++++++++
libcli/smb/smbXcli_base.h | 1 +
2 files changed, 25 insertions(+)
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index d8b85c8..4332374 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5302,6 +5302,30 @@ struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
return session;
}
+bool smbXcli_session_is_guest(struct smbXcli_session *session)
+{
+ if (session == NULL) {
+ return false;
+ }
+
+ if (session->conn == NULL) {
+ return false;
+ }
+
+ if (session->conn->protocol >= PROTOCOL_SMB2_02) {
+ if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) {
+ return true;
+ }
+ return false;
+ }
+
+ if (session->smb1.action & SMB_SETUP_GUEST) {
+ return true;
+ }
+
+ return false;
+}
+
bool smbXcli_session_is_authenticated(struct smbXcli_session *session)
{
const DATA_BLOB *application_key;
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index 8eb482a..16c8848 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -390,6 +390,7 @@ struct smbXcli_session *smbXcli_session_create(TALLOC_CTX *mem_ctx,
struct smbXcli_conn *conn);
struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
struct smbXcli_session *src);
+bool smbXcli_session_is_guest(struct smbXcli_session *session);
bool smbXcli_session_is_authenticated(struct smbXcli_session *session);
NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
TALLOC_CTX *mem_ctx,
--
1.9.1
From fcf499ae3b4fc8e85a4fd5f8e6f891d7a11de15b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 19 Apr 2016 07:19:19 +0200
Subject: [PATCH 11/27] s3:libsmb: record the session setup action flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/libsmb/cliconnect.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index b8a8c7a..48f499c 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -242,6 +242,7 @@ static void cli_session_setup_lanman2_done(struct tevent_req *subreq)
p = bytes;
cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
+ smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0));
status = smb_bytes_talloc_string(cli,
inhdr,
@@ -445,6 +446,7 @@ static void cli_session_setup_guest_done(struct tevent_req *subreq)
p = bytes;
cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
+ smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0));
status = smb_bytes_talloc_string(cli,
inhdr,
@@ -604,6 +606,7 @@ static void cli_session_setup_plain_done(struct tevent_req *subreq)
p = bytes;
cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
+ smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0));
status = smb_bytes_talloc_string(cli,
inhdr,
@@ -915,6 +918,7 @@ static void cli_session_setup_nt1_done(struct tevent_req *subreq)
p = bytes;
cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
+ smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0));
status = smb_bytes_talloc_string(cli,
inhdr,
@@ -1160,6 +1164,7 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
state->inbuf = in;
inhdr = in + NBT_HDR_SIZE;
cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
+ smb1cli_session_set_action(cli->smb1.session, SVAL(vwv+2, 0));
blob_length = SVAL(vwv+3, 0);
if (blob_length > num_bytes) {
--
1.9.1
From 9a30793bcdf9d01f70b150a3be960de6959adee4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 19 Apr 2016 07:20:28 +0200
Subject: [PATCH 12/27] s3:libsmb: don't finish the gensec handshake for guest
logins
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/libsmb/cliconnect.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 48f499c..b984087 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1572,6 +1572,27 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq)
}
if (NT_STATUS_IS_OK(status)) {
+ struct smbXcli_session *session = NULL;
+ bool is_guest = false;
+
+ if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) {
+ session = state->cli->smb2.session;
+ } else {
+ session = state->cli->smb1.session;
+ }
+
+ is_guest = smbXcli_session_is_guest(session);
+ if (is_guest) {
+ /*
+ * We can't finish the gensec handshake, we don't
+ * have a negotiated session key.
+ *
+ * So just pretend we are completely done.
+ */
+ state->blob_in = data_blob_null;
+ state->local_ready = true;
+ }
+
state->remote_ready = true;
}
--
1.9.1
From 705a4d907c1b259f83533a096486136e77afd5c8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 19 Apr 2016 07:33:03 +0200
Subject: [PATCH 13/27] s3:libsmb: use anonymous authentication via spnego if
possible
This makes the authentication consistent against between
SMB1 with CAP_EXTENDED_SECURITY (introduced in Windows 2000)
and SNB2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/libsmb/cliconnect.c | 55 ++++++++++++++++++++++++---------------------
1 file changed, 29 insertions(+), 26 deletions(-)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index b984087..ea92c8f 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1643,6 +1643,19 @@ static void cli_session_setup_gensec_ready(struct tevent_req *req)
}
}
+ if (state->is_anonymous) {
+ /*
+ * Windows server does not set the
+ * SMB2_SESSION_FLAG_IS_NULL flag.
+ *
+ * This fix makes sure we do not try
+ * to verify a signature on the final
+ * session setup response.
+ */
+ tevent_req_done(req);
+ return;
+ }
+
status = gensec_session_key(state->auth_generic->gensec_security,
state, &state->session_key);
if (tevent_req_nterror(req, status)) {
@@ -1652,20 +1665,6 @@ static void cli_session_setup_gensec_ready(struct tevent_req *req)
if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) {
struct smbXcli_session *session = state->cli->smb2.session;
- if (state->is_anonymous) {
- /*
- * Windows server does not set the
- * SMB2_SESSION_FLAG_IS_GUEST nor
- * SMB2_SESSION_FLAG_IS_NULL flag.
- *
- * This fix makes sure we do not try
- * to verify a signature on the final
- * session setup response.
- */
- tevent_req_done(req);
- return;
- }
-
status = smb2cli_session_set_session_key(session,
state->session_key,
state->recv_iov);
@@ -2095,6 +2094,21 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx,
return req;
}
+ /*
+ * if the server supports extended security then use SPNEGO
+ * even for anonymous connections.
+ */
+ if (smb1cli_conn_capabilities(cli->conn) & CAP_EXTENDED_SECURITY) {
+ subreq = cli_session_setup_spnego_send(
+ state, ev, cli, user, pass, workgroup);
+ if (tevent_req_nomem(subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+ tevent_req_set_callback(subreq, cli_session_setup_done_spnego,
+ req);
+ return req;
+ }
+
/* if no user is supplied then we have to do an anonymous connection.
passwords are ignored */
@@ -2143,18 +2157,7 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx,
return req;
}
- /* if the server supports extended security then use SPNEGO */
-
- if (smb1cli_conn_capabilities(cli->conn) & CAP_EXTENDED_SECURITY) {
- subreq = cli_session_setup_spnego_send(
- state, ev, cli, user, pass, workgroup);
- if (tevent_req_nomem(subreq, req)) {
- return tevent_req_post(req, ev);
- }
- tevent_req_set_callback(subreq, cli_session_setup_done_spnego,
- req);
- return req;
- } else {
+ {
/* otherwise do a NT1 style session setup */
if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) {
/*
--
1.9.1
From 4fdb8c1be71de31a80e6cd4b15df075e7ce71b7d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 22 Apr 2016 10:04:38 +0200
Subject: [PATCH 14/27] auth/spnego: only try to verify the mechListMic if
signing was negotiated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index f82d5bb..1323bfe 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -885,6 +885,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
case SPNEGO_SERVER_TARG:
{
NTSTATUS nt_status;
+ bool have_sign = true;
bool new_spnego = false;
if (!in.length) {
@@ -947,18 +948,20 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
goto server_response;
}
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
if (spnego.negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) {
nt_status = gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
@@ -1142,8 +1145,11 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
if (spnego_state->no_response_expected &&
!spnego_state->done_mic_check)
{
+ bool have_sign = true;
bool new_spnego = false;
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
@@ -1170,16 +1176,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
}
if (spnego_state->mic_requested) {
- bool sign;
-
- sign = gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_SIGN);
- if (sign) {
+ if (have_sign) {
new_spnego = true;
}
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
--
1.9.1
From 7bcc6529a4e1b790052c060c22b650f73e2b5c0c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 27 Apr 2016 01:44:56 +0200
Subject: [PATCH 15/27] s4:auth_anonymous: anonymous authentication doesn't
allow a password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source4/auth/ntlm/auth_anonymous.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/source4/auth/ntlm/auth_anonymous.c b/source4/auth/ntlm/auth_anonymous.c
index 28cbfe8..ab1aac2 100644
--- a/source4/auth/ntlm/auth_anonymous.c
+++ b/source4/auth/ntlm/auth_anonymous.c
@@ -41,6 +41,36 @@ static NTSTATUS anonymous_want_check(struct auth_method_context *ctx,
return NT_STATUS_NOT_IMPLEMENTED;
}
+ switch (user_info->password_state) {
+ case AUTH_PASSWORD_PLAIN:
+ if (user_info->password.plaintext != NULL &&
+ strlen(user_info->password.plaintext) > 0)
+ {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ break;
+ case AUTH_PASSWORD_HASH:
+ if (user_info->password.hash.lanman != NULL) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ if (user_info->password.hash.nt != NULL) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ break;
+ case AUTH_PASSWORD_RESPONSE:
+ if (user_info->password.response.lanman.length == 1) {
+ if (user_info->password.response.lanman.data[0] != '\0') {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ } else if (user_info->password.response.lanman.length > 1) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ if (user_info->password.response.nt.length > 0) {
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ break;
+ }
+
return NT_STATUS_OK;
}
--
1.9.1
From f24612169f086b0a83bc187b0f0b61a70e979230 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 27 Apr 2016 01:48:32 +0200
Subject: [PATCH 16/27] s3:auth_builtin: anonymous authentication doesn't allow
a password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/auth/auth_builtin.c | 47 ++++++++++++++++++++++++++++++++++++++-------
1 file changed, 40 insertions(+), 7 deletions(-)
diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c
index dce58bf..7480799 100644
--- a/source3/auth/auth_builtin.c
+++ b/source3/auth/auth_builtin.c
@@ -38,17 +38,50 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context,
const struct auth_usersupplied_info *user_info,
struct auth_serversupplied_info **server_info)
{
- /* mark this as 'not for me' */
- NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
-
DEBUG(10, ("Check auth for: [%s]\n", user_info->mapped.account_name));
- if (!(user_info->mapped.account_name
- && *user_info->mapped.account_name)) {
- nt_status = make_server_info_guest(NULL, server_info);
+ if (user_info->mapped.account_name && *user_info->mapped.account_name) {
+ /* mark this as 'not for me' */
+ return NT_STATUS_NOT_IMPLEMENTED;
}
- return nt_status;
+ switch (user_info->password_state) {
+ case AUTH_PASSWORD_PLAIN:
+ if (user_info->password.plaintext != NULL &&
+ strlen(user_info->password.plaintext) > 0)
+ {
+ /* mark this as 'not for me' */
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ break;
+ case AUTH_PASSWORD_HASH:
+ if (user_info->password.hash.lanman != NULL) {
+ /* mark this as 'not for me' */
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ if (user_info->password.hash.nt != NULL) {
+ /* mark this as 'not for me' */
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ break;
+ case AUTH_PASSWORD_RESPONSE:
+ if (user_info->password.response.lanman.length == 1) {
+ if (user_info->password.response.lanman.data[0] != '\0') {
+ /* mark this as 'not for me' */
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ } else if (user_info->password.response.lanman.length > 1) {
+ /* mark this as 'not for me' */
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ if (user_info->password.response.nt.length > 0) {
+ /* mark this as 'not for me' */
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+ break;
+ }
+
+ return make_server_info_guest(NULL, server_info);
}
/* Guest modules initialisation */
--
1.9.1
From dab10fb41411239af7b013226e1638e65f83f9da Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 20 Apr 2016 16:29:42 +0200
Subject: [PATCH 17/27] libcli/security: implement SECURITY_GUEST
SECURITY_GUEST is not exactly the same as SECURITY_ANONYMOUS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
libcli/security/security_token.c | 5 +++++
libcli/security/security_token.h | 2 ++
libcli/security/session.c | 4 ++++
libcli/security/session.h | 1 +
4 files changed, 12 insertions(+)
diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c
index 6812d42..2e5a87b 100644
--- a/libcli/security/security_token.c
+++ b/libcli/security/security_token.c
@@ -130,6 +130,11 @@ bool security_token_has_sid_string(const struct security_token *token, const cha
return ret;
}
+bool security_token_has_builtin_guests(const struct security_token *token)
+{
+ return security_token_has_sid(token, &global_sid_Builtin_Guests);
+}
+
bool security_token_has_builtin_administrators(const struct security_token *token)
{
return security_token_has_sid(token, &global_sid_Builtin_Administrators);
diff --git a/libcli/security/security_token.h b/libcli/security/security_token.h
index b8ca990..5c5b30b 100644
--- a/libcli/security/security_token.h
+++ b/libcli/security/security_token.h
@@ -51,6 +51,8 @@ bool security_token_has_sid(const struct security_token *token, const struct dom
bool security_token_has_sid_string(const struct security_token *token, const char *sid_string);
+bool security_token_has_builtin_guests(const struct security_token *token);
+
bool security_token_has_builtin_administrators(const struct security_token *token);
bool security_token_has_nt_authenticated_users(const struct security_token *token);
diff --git a/libcli/security/session.c b/libcli/security/session.c
index 0c32556..0fbb87d 100644
--- a/libcli/security/session.c
+++ b/libcli/security/session.c
@@ -38,6 +38,10 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
return SECURITY_ANONYMOUS;
}
+ if (security_token_has_builtin_guests(session_info->security_token)) {
+ return SECURITY_GUEST;
+ }
+
if (security_token_has_builtin_administrators(session_info->security_token)) {
return SECURITY_ADMINISTRATOR;
}
diff --git a/libcli/security/session.h b/libcli/security/session.h
index ee9187d..31e950e 100644
--- a/libcli/security/session.h
+++ b/libcli/security/session.h
@@ -24,6 +24,7 @@
enum security_user_level {
SECURITY_ANONYMOUS = 0,
+ SECURITY_GUEST = 1,
SECURITY_USER = 10,
SECURITY_RO_DOMAIN_CONTROLLER = 20,
SECURITY_DOMAIN_CONTROLLER = 30,
--
1.9.1
From 199f5248cb572b76bafe7930d0a4b0a930ba7478 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 18 Apr 2016 17:36:56 +0200
Subject: [PATCH 18/27] s3:smbd: make use SMB_SETUP_GUEST constant
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/smbd/sesssetup.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index b7fdd00..88cbf97 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -294,7 +294,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
}
if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
- action = 1;
+ action |= SMB_SETUP_GUEST;
}
if (session_info->session_key.length > 0) {
@@ -420,7 +420,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
}
if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
- action = 1;
+ action |= SMB_SETUP_GUEST;
}
/*
@@ -949,7 +949,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
}
if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
- action = 1;
+ action |= SMB_SETUP_GUEST;
}
/* register the name and uid as being validated, so further connections
--
1.9.1
From 7c868e1290398e89c6c840fb7e5d12796f9e266f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 20 Apr 2016 16:34:28 +0200
Subject: [PATCH 19/27] s3:smbd: only mark real guest sessions with the GUEST
flag
Real anonymous sessions don't get it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/smbd/sesssetup.c | 6 +++---
source3/smbd/smb2_sesssetup.c | 7 ++++---
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 88cbf97..62dc49e 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -293,7 +293,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
return;
}
- if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
+ if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) {
action |= SMB_SETUP_GUEST;
}
@@ -419,7 +419,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
return;
}
- if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
+ if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) {
action |= SMB_SETUP_GUEST;
}
@@ -948,7 +948,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
/* perhaps grab OS version here?? */
}
- if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
+ if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) {
action |= SMB_SETUP_GUEST;
}
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 78bda7b..821024f 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -278,11 +278,12 @@ static NTSTATUS smbd_smb2_auth_generic_return(struct smbXsrv_session *session,
}
if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
- /* we map anonymous to guest internally */
- *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
- *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
+ if (security_session_user_level(session_info, NULL) == SECURITY_GUEST) {
+ *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
+ }
/* force no signing */
x->global->signing_flags &= ~SMBXSRV_SIGNING_REQUIRED;
+ /* we map anonymous to guest internally */
guest = true;
}
--
1.9.1
From f6f8e7b792a686488792db5f1792807109833edb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 20 Apr 2016 18:27:34 +0200
Subject: [PATCH 20/27] auth/ntlmssp: do map to guest checking after the
authentication
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/ntlmssp/gensec_ntlmssp_server.c | 16 +--------------
auth/ntlmssp/ntlmssp_server.c | 40 ++++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+), 15 deletions(-)
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index ca19863..120c6e0 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -131,21 +131,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
ntlmssp_state->allow_lm_key = true;
}
- if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) {
- /*
- * map to guest is not secure anyway, so
- * try to make it work and don't try to
- * negotiate new_spnego and MIC checking
- */
- ntlmssp_state->force_old_spnego = true;
- }
-
- if (role == ROLE_ACTIVE_DIRECTORY_DC) {
- /*
- * map to guest is not supported on an AD DC.
- */
- ntlmssp_state->force_old_spnego = false;
- }
+ ntlmssp_state->force_old_spnego = false;
ntlmssp_state->neg_flags =
NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION;
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 17d5ade..ddee875 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -31,6 +31,9 @@
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
#include "auth/common_auth.h"
+#include "param/param.h"
+#include "param/loadparm.h"
+#include "libcli/security/session.h"
/**
* Determine correct target name flags for reply, given server role
@@ -700,6 +703,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
struct auth4_context *auth_context = gensec_security->auth_context;
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
+ struct auth_session_info *session_info = NULL;
struct auth_usersupplied_info *user_info;
user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
@@ -736,6 +740,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
NT_STATUS_NOT_OK_RETURN(nt_status);
+ if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST
+ && auth_context->generate_session_info != NULL)
+ {
+ NTSTATUS tmp_status;
+
+ /*
+ * We need to check if the auth is anonymous or mapped to guest
+ */
+ tmp_status = auth_context->generate_session_info(auth_context, mem_ctx,
+ gensec_ntlmssp->server_returned_info,
+ gensec_ntlmssp->ntlmssp_state->user,
+ AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
+ &session_info);
+ if (!NT_STATUS_IS_OK(tmp_status)) {
+ /*
+ * We don't care about failures,
+ * the worst result is that we try MIC checking
+ * for a map to guest authentication.
+ */
+ TALLOC_FREE(session_info);
+ }
+ }
+
+ if (session_info != NULL) {
+ if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
+ /*
+ * Anonymous and GUEST are not secure anyway.
+ * avoid new_spnego and MIC checking.
+ */
+ ntlmssp_state->new_spnego = false;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+ }
+ TALLOC_FREE(session_info);
+ }
+
talloc_steal(mem_ctx, user_session_key->data);
talloc_steal(mem_ctx, lm_session_key->data);
--
1.9.1
From d81adfca229ac977c40e405ea3ecdd43e04ded1a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 25 Apr 2016 14:45:55 +0200
Subject: [PATCH 21/27] auth/spnego: add spnego:simulate_w2k option for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/gensec/spnego.c | 28 +++++++++++++++++++++++++++-
1 file changed, 27 insertions(+), 1 deletion(-)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 1323bfe..0b49b1a 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -59,6 +59,8 @@ struct spnego_state {
bool needs_mic_check;
bool done_mic_check;
+ bool simulate_w2k;
+
/*
* The following is used to implement
* the update token fragmentation
@@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k", false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k", false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego.negTokenInit.mechToken,
&unwrapped_out);
+ if (spnego_state->simulate_w2k) {
+ /*
+ * Windows 2000 returns the unwrapped token
+ * also in the mech_list_mic field.
+ *
+ * In order to verify our client code,
+ * we need a way to have a server with this
+ * broken behaviour
+ */
+ mech_list_mic = unwrapped_out;
+ }
+
nt_status = gensec_spnego_server_negTokenTarg(spnego_state,
out_mem_ctx,
nt_status,
unwrapped_out,
- null_data_blob,
+ mech_list_mic,
out);
spnego_free_data(&spnego);
@@ -950,6 +970,9 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
have_sign = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
if (spnego.negTokenTarg.mechListMIC.length > 0) {
@@ -1150,6 +1173,9 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
have_sign = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
--
1.9.1
From 7d4bc76496f946b4aa9507dbe2ed76352ec05379 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 25 Apr 2016 15:58:27 +0200
Subject: [PATCH 22/27] auth/ntlmssp: add
ntlmssp_{client,server}:force_old_spnego option for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
auth/ntlmssp/gensec_ntlmssp_server.c | 7 +++++++
auth/ntlmssp/ntlmssp_client.c | 3 +++
2 files changed, 10 insertions(+)
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index 120c6e0..99cedd0 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -133,6 +133,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
ntlmssp_state->force_old_spnego = false;
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) {
+ /*
+ * For testing Windows 2000 mode
+ */
+ ntlmssp_state->force_old_spnego = true;
+ }
+
ntlmssp_state->neg_flags =
NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION;
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index b423f20..5edd5f4 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -784,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
+ ntlmssp_state->force_old_spnego = gensec_setting_bool(gensec_security->settings,
+ "ntlmssp_client", "force_old_spnego", false);
+
ntlmssp_state->expected_state = NTLMSSP_INITIAL;
ntlmssp_state->neg_flags =
--
1.9.1
From b369691e42d05864b98bc936f7074e05efdef4c5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 26 Apr 2016 08:50:00 +0200
Subject: [PATCH 23/27] selftest:Samba4: provide DC_* variables for fl2000dc
and fl2008r2dc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/target/Samba4.pm | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index eddcfa6..0ac386c0 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1391,6 +1391,13 @@ sub provision_fl2000dc($$)
warn("Unable to add wins configuration");
return undef;
}
+ $ret->{DC_SERVER} = $ret->{SERVER};
+ $ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
+ $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $ret->{USERNAME};
+ $ret->{DC_PASSWORD} = $ret->{PASSWORD};
+ $ret->{DC_REALM} = $ret->{REALM};
return $ret;
}
@@ -1474,6 +1481,13 @@ sub provision_fl2008r2dc($$$)
warn("Unable to add wins configuration");
return undef;
}
+ $ret->{DC_SERVER} = $ret->{SERVER};
+ $ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
+ $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
+ $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
+ $ret->{DC_USERNAME} = $ret->{USERNAME};
+ $ret->{DC_PASSWORD} = $ret->{PASSWORD};
+ $ret->{DC_REALM} = $ret->{REALM};
return $ret;
}
--
1.9.1
From 214d0703996b15770d9cddab53f09fa98c198a26 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 26 Apr 2016 11:33:52 +0200
Subject: [PATCH 24/27] s3:test_smbclient_auth.sh: this script reqiures 5
arguments
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/script/tests/test_smbclient_auth.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/script/tests/test_smbclient_auth.sh b/source3/script/tests/test_smbclient_auth.sh
index cc075b9..1681772 100755
--- a/source3/script/tests/test_smbclient_auth.sh
+++ b/source3/script/tests/test_smbclient_auth.sh
@@ -2,7 +2,7 @@
# this runs the file serving tests that are expected to pass with samba3 against shares with various options
-if [ $# -lt 4 ]; then
+if [ $# -lt 5 ]; then
cat <<EOF
Usage: test_smbclient_auth.sh SERVER SERVER_IP USERNAME PASSWORD SMBCLIENT <smbclient arguments>
EOF
--
1.9.1
From 979936b52d4fd01e8fdc60e90035c817a8160665 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 27 Apr 2016 01:00:14 +0200
Subject: [PATCH 25/27] selftest:Samba4: let fl2000dc use Windows2000
supported_enctypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/target/Samba.pm | 13 +++++++++++++
selftest/target/Samba4.pm | 3 +++
2 files changed, 16 insertions(+)
diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 6ca1036..17a2bbe 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -200,6 +200,19 @@ sub mk_krb5_conf($$)
forwardable = yes
allow_weak_crypto = yes
+";
+
+ if (defined($ctx->{supported_enctypes})) {
+ print KRB5CONF "
+ default_etypes = $ctx->{supported_enctypes}
+ default_as_etypes = $ctx->{supported_enctypes}
+ default_tgs_enctypes = $ctx->{supported_enctypes}
+ default_tkt_enctypes = $ctx->{supported_enctypes}
+ permitted_enctypes = $ctx->{supported_enctypes}
+";
+ }
+
+ print KRB5CONF "
[realms]
$our_realms_stanza
";
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 0ac386c0..7bd4cad 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -386,6 +386,9 @@ sub provision_raw_prepare($$$$$$$$$$$)
$ctx->{password} = $password;
$ctx->{kdc_ipv4} = $kdc_ipv4;
$ctx->{kdc_ipv6} = $kdc_ipv6;
+ if ($functional_level eq "2000") {
+ $ctx->{supported_enctypes} = "arcfour-hmac-md5 des-cbc-md5 des-cbc-crc"
+ }
#
# Set smbd log level here.
--
1.9.1
From 03c07593e6d658434e2b63014352b2308f2108a3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 25 Apr 2016 16:02:22 +0200
Subject: [PATCH 26/27] selftest:Samba4: let fl2000dc use Windows2000 style
SPNEGO/NTLMSSP
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
selftest/target/Samba4.pm | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 7bd4cad..2d30dcf 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1377,6 +1377,10 @@ sub provision_fl2000dc($$)
my ($self, $prefix) = @_;
print "PROVISIONING DC WITH FOREST LEVEL 2000...";
+ my $extra_conf_options = "
+ spnego:simulate_w2k=yes
+ ntlmssp_server:force_old_spnego=yes
+";
my $ret = $self->provision($prefix,
"domain controller",
"dc5",
@@ -1386,7 +1390,7 @@ sub provision_fl2000dc($$)
"locDCpass5",
undef,
undef,
- "",
+ $extra_conf_options,
"",
undef);
--
1.9.1
From b6988c3288b8d73b45018b59e534bd72c6a41a63 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Mon, 25 Apr 2016 16:12:47 +0200
Subject: [PATCH 27/27] s3:selftest: add smbclient_ntlm tests
We test all combinations of NT1 with and without spnego and SMB3
for user, anonymous and guest authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
source3/script/tests/test_smbclient_ntlm.sh | 40 +++++++++++++++++++++++++++++
source3/selftest/tests.py | 4 ++-
2 files changed, 43 insertions(+), 1 deletion(-)
create mode 100755 source3/script/tests/test_smbclient_ntlm.sh
diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh
new file mode 100755
index 0000000..b8fc564
--- /dev/null
+++ b/source3/script/tests/test_smbclient_ntlm.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+# this runs a smbclient based authentication tests
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: test_smbclient_ntlm.sh SERVER USERNAME PASSWORD MAPTOGUEST SMBCLIENT <smbclient arguments>
+EOF
+exit 1;
+fi
+
+SERVER="$1"
+USERNAME="$2"
+PASSWORD="$3"
+MAPTOGUEST="$4"
+SMBCLIENT="$5"
+SMBCLIENT="$VALGRIND ${SMBCLIENT}"
+shift 5
+ADDARGS="$*"
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+testit "smbclient username.password.NT1OLD" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U$USERNAME%$PASSWORD -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no -c quit $ADDARGS
+testit "smbclient username.password.NT1NEW" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U$USERNAME%$PASSWORD -mNT1 -c quit $ADDARGS
+testit "smbclient username.password.SMB3" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U$USERNAME%$PASSWORD -mSMB3 -c quit $ADDARGS
+
+testit "smbclient anonymous.nopassword.NT1OLD" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U% -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no -c quit $ADDARGS
+testit "smbclient anonymous.nopassword.NT1NEW" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U% -mNT1 -c quit $ADDARGS
+testit "smbclient anonymous.nopassword.SMB3" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U% -mSMB3 -c quit $ADDARGS
+if test x"${MAPTOGUEST}" = x"never" ; then
+ testit_expect_failure "smbclient anonymous.badpassword.NT1NEW.fail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mNT1 -c quit $ADDARGS
+ testit_expect_failure "smbclient anonymous.badpassword.SMB3.fail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mSMB3 -c quit $ADDARGS
+else
+ testit "smbclient anonymous.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mNT1 -c quit $ADDARGS
+ testit "smbclient anonymous.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -U%badpassword -mSMB3 -c quit $ADDARGS
+
+ testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS
+ testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS
+fi
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 54b5136..2bd4110 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -129,8 +129,9 @@ for options in ["--option=clientusespnego=no", " --option=clientntlmv2auth=no --
env = "nt4_dc"
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) %s" % (env, options), env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, options])
-for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc_ntvfs", "s4member"]:
+for env in ["nt4_dc", "nt4_member", "ad_member", "ad_dc_ntvfs", "s4member", "fl2000dc"]:
plantestsuite("samba3.blackbox.smbclient_machine_auth.plain (%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_machine_auth.sh"), '$SERVER', smbclient3, configuration])
+ plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$DC_USERNAME', '$DC_PASSWORD', "never", smbclient3, configuration])
for env in ["nt4_dc", "nt4_member", "ad_member"]:
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration])
@@ -159,6 +160,7 @@ for env in ["maptoguest", "simpleserver"]:
env = "maptoguest"
plantestsuite("samba3.blackbox.smbclient_auth.plain (%s) bad username" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_auth.sh"), '$SERVER', '$SERVER_IP', 'notmy$USERNAME', '$PASSWORD', smbclient3, configuration + " --option=clientntlmv2auth=no --option=clientlanmanauth=yes"])
+plantestsuite("samba3.blackbox.smbclient_ntlm.plain (%s)" % env, env, [os.path.join(samba3srcdir, "script/tests/test_smbclient_ntlm.sh"), '$SERVER', '$USERNAME', '$PASSWORD', "baduser", smbclient3, configuration])
# plain
for env in ["nt4_dc"]:
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160428/4444781d/signature.sig>
More information about the samba-technical
mailing list