ntlmssp errors against El Capitan's SMB Server
Stefan Metzmacher
metze at samba.org
Wed Aug 31 08:20:35 UTC 2016
Hi Jeremy,
> note the 'ntlmssp_state->new_spnego = true' when timestamp != NULL.
>
> And it looks like the Windows client doesn't check the
> mechlistMIC in this case, so we might need to losen our
> check also.
>
> This would also fix the smbclient connecting to the Microsoft
> Azure server problem - that server also only does NTLM and
> doesn't send the mechlistMIC in the ACCEPT_COMPLETED reply.
>
> Attached is a possible patch, but I'm *really* unsure
> if this is safe w.r.t. downgrade attacks.
>
> Metze, can you take a look at this and let me know what you
> think ?
The problem I see with this is that client doesn't know
if the server processed the mechListMIC.
Which has implications on:
if (NT_STATUS_IS_OK(status)) {
bool reset_full = true;
gensec_security->child_security =
spnego_state->sub_sec_security;
reset_full = !spnego_state->done_mic_check;
status =
gensec_may_reset_crypto(spnego_state->sub_sec_security,
reset_full);
}
@Simo: We discussed that the reset_full parameter might not be required,
but I think
these "broken/lazy" servers would be the reason to have it there.
As this problem hopefully only present at the SMB* protocols, which have
their own
signing/encrytion implementations, I'd propose to add a
GENSEC_FEATURE_SMB_STYLE
and allow Jeremy's change only if GENSEC_FEATURE_SMB_STYLE is present.
(We already have GENSEC_FEATURE_DCE_STYLE and GENSEC_FEATURE_LDAP_STYLE
so adding GENSEC_FEATURE_SMB_STYLE would be a similar way to work around
SMB specific
implementation bugs).
What do you think?
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160831/aa280e66/signature.sig>
More information about the samba-technical
mailing list