ntlmssp errors against El Capitan's SMB Server
Jeremy Allison
jra at samba.org
Wed Aug 31 21:18:31 UTC 2016
On Wed, Aug 31, 2016 at 10:56:02PM +0200, Christian Ambach wrote:
> Am 31.08.16 um 18:13 schrieb Simo:
>
> > I would call it just "SPNEGO_REQUIRE_SERVER_MIC" (instead of SMB_STYLE)
> > and allow the SMB code paths to set it to No, the default should be to
> > require it. The name should reflect what the knob actually wants and
> > not where we actually use it this time, it'd be awkward and confusing
> > to set "SMB_STYLE" if we figure we need to use it on another protocol.
>
> I think that most of the ordinary users of libsmbclient would prefer
> that the checks are relaxed in the default configuration. For security
> sensitive connections from Samba processes, we can set a flag that
> enforces the check.
OK - here is a patchset for bug:
https://bugzilla.samba.org/show_bug.cgi?id=11994
"smbclient fails to connect to Azure share spnego fails with no mechListMIC"
which already existed. Christian can you test this version please ?
I've everyone is happy I'll push.
Cheers,
Jeremy.
-------------- next part --------------
From 5739fba0cff2086e91c80b14e5d59a42e1fe26cc Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Wed, 31 Aug 2016 12:33:19 -0700
Subject: [PATCH 1/3] auth: gensec: Add new flag
GENSEC_FEATURE_SPENGO_IGNORE_SERVER_MIC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994
Signed-off-by: Jeremy Allison <jra at samba.org>
---
auth/gensec/gensec.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index e8bd7b1..8eb3173 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -63,6 +63,7 @@ struct gensec_target {
#define GENSEC_FEATURE_UNIX_TOKEN 0x00000100
#define GENSEC_FEATURE_NTLM_CCACHE 0x00000200
#define GENSEC_FEATURE_LDAP_STYLE 0x00000400
+#define GENSEC_FEATURE_SPENGO_IGNORE_SERVER_MIC 0x00000800
#define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL
--
2.8.0.rc3.226.g39d4020
From c2bb4767f77947fdbfe059f253cb313084f29606 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Wed, 31 Aug 2016 13:13:08 -0700
Subject: [PATCH 2/3] auth: gensec: Implement spnego feature
GENSEC_FEATURE_SPENGO_IGNORE_SERVER_MIC.
Needed for Microsoft Azure and Apple El Capitan SMB Servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994
Signed-off-by: Jeremy Allison <jra at samba.org>
---
auth/gensec/spnego.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index ef30ab7..4db44af 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1171,6 +1171,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
{
bool have_sign = true;
bool new_spnego = false;
+ bool ignore_mic = false;
have_sign = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_SIGN);
@@ -1182,6 +1183,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
switch (spnego.negTokenTarg.negResult) {
case SPNEGO_ACCEPT_COMPLETED:
+ /*
+ * Does the client want us to ignore the
+ * fact the server didn't send a mechListMIC
+ * in the accept-completed reply ?
+ * Microsoft Azure and Apple El Capitan
+ * SMB Servers have this bug.
+ */
+ ignore_mic = gensec_have_feature(
+ spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SPENGO_IGNORE_SERVER_MIC);
+ if (ignore_mic &&
+ spnego.negTokenTarg.mechListMIC.length
+ == 0) {
+ new_spnego = false;
+ }
+ break;
+
case SPNEGO_NONE_RESULT:
if (spnego_state->num_targs == 1) {
/*
--
2.8.0.rc3.226.g39d4020
From cee5ffe89e5b1aa4c9a0e423803f59a4e9a29b92 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Wed, 31 Aug 2016 13:15:14 -0700
Subject: [PATCH 3/3] s3: libsmb: Allow connection to SMB servers that don't
return a mechListMic value in the final accept-complete spnego exchange.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994
Signed-off-by: Jeremy Allison <jra at samba.org>
---
source3/libsmb/cliconnect.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 9c8851f..b007c2a 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1348,6 +1348,8 @@ static struct tevent_req *cli_session_setup_gensec_send(
gensec_want_feature(state->auth_generic->gensec_security,
GENSEC_FEATURE_SESSION_KEY);
+ gensec_want_feature(state->auth_generic->gensec_security,
+ GENSEC_FEATURE_SPENGO_IGNORE_SERVER_MIC);
if (cli->use_ccache) {
gensec_want_feature(state->auth_generic->gensec_security,
GENSEC_FEATURE_NTLM_CCACHE);
--
2.8.0.rc3.226.g39d4020
More information about the samba-technical
mailing list