ntlmssp errors against El Capitan's SMB Server

Stefan Metzmacher metze at samba.org
Thu Sep 1 06:25:20 UTC 2016 

Am 31.08.2016 um 23:18 schrieb Jeremy Allison:
> On Wed, Aug 31, 2016 at 10:56:02PM +0200, Christian Ambach wrote:
>> Am 31.08.16 um 18:13 schrieb Simo:
>>
>>> I would call it just "SPNEGO_REQUIRE_SERVER_MIC" (instead of SMB_STYLE)
>>> and allow the SMB code paths to set it to No, the default should be to
>>> require it. The name should reflect what the knob actually wants and
>>> not where we actually use it this time, it'd be awkward and confusing
>>> to set "SMB_STYLE" if we figure we need to use it on another protocol.
>>
>> I think that most of the ordinary users of libsmbclient would prefer
>> that the checks are relaxed in the default configuration. For security
>> sensitive connections from Samba processes, we can set a flag that
>> enforces the check.
> 
> OK - here is a patchset for bug:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=11994
> 
> "smbclient fails to connect to Azure share spnego fails with no mechListMIC"
> 
> which already existed. Christian can you test this version please ?
> 
> I've everyone is happy I'll push.

I just realized that me most likely don't need the extra
GENSEC_FEATURE_SPENGO_IGNORE_SERVER_MIC.

The thing is that gensec_have_feature(GENSEC_FEATURE_SIGN) returns
true, while we just ask for GENSEC_FEATURE_SESSION_KEY.

Ambi, can you some tests with each of the attached patches?
And with both of them applied? So I'd like to see captures of all 3
combinations together with their smbclient -d10 output.

Thanks!
metze
-------------- next part --------------
From a6b37fb1ae04636951f420a720d018b990a3c86e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 1 Sep 2016 08:08:23 +0200
Subject: [PATCH] gensec/spnego: work around missing server mechListMIC in SMB
 servers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 auth/gensec/spnego.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index ef30ab7..3fd2b80 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -55,6 +55,7 @@ struct spnego_state {
 
 	DATA_BLOB mech_types;
 	size_t num_targs;
+	bool downgraded;
 	bool mic_requested;
 	bool needs_mic_sign;
 	bool needs_mic_check;
@@ -434,6 +435,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
 					 * Indicate the downgrade and request a
 					 * mic.
 					 */
+					spnego_state->downgraded = true;
 					spnego_state->mic_requested = true;
 					break;
 				}
@@ -1078,7 +1080,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 			DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
 				 gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
 				 gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech)));
-
+			spnego_state->downgraded = true;
 			spnego_state->no_response_expected = false;
 			talloc_free(spnego_state->sub_sec_security);
 			nt_status = gensec_subcontext_start(spnego_state,
@@ -1183,12 +1185,55 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 			switch (spnego.negTokenTarg.negResult) {
 			case SPNEGO_ACCEPT_COMPLETED:
 			case SPNEGO_NONE_RESULT:
+				if (spnego_state->downgraded) {
+					/*
+					 * A downgrade should be protected if
+					 * supported
+					 */
+					break;
+				}
+
 				if (spnego_state->num_targs == 1) {
 					/*
 					 * the first exchange doesn't require
 					 * verification
 					 */
 					new_spnego = false;
+					break;
+				}
+
+				/*
+				 * The caller may just asked for
+				 * GENSEC_FEATURE_SESSION_KEY, this
+				 * is only reflected in the want_features.
+				 *
+				 * As it will imply
+				 * gensec_have_features(GENSEC_FEATURE_SIGN)
+				 * to return true.
+				 */
+				if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
+					break;
+				}
+				if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
+					break;
+				}
+				/*
+				 * Here we're sure our preferred mech was
+				 * selected by the server and our caller doesn't
+				 * need GENSEC_FEATURE_SIGN nor
+				 * GENSEC_FEATURE_SEAL support.
+				 *
+				 * In this case we don't require
+				 * a mechListMIC from the server.
+				 *
+				 * This works around bugs in the Azure
+				 * and Apple spnego implementations.
+				 *
+				 * See
+				 * https://bugzilla.samba.org/show_bug.cgi?id=11994
+				 */
+				if (spnego.negTokenTarg.mechListMIC.length == 0) {
+					new_spnego = false;
 				}
 				break;
 
-- 
1.9.1

-------------- next part --------------
From 578033867cad629744aa26912c22c8794be2aeb5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 1 Sep 2016 08:21:32 +0200
Subject: [PATCH] HACK auth/ntlmssp/ntlmssp.c add unknown preferred OID

---
 auth/ntlmssp/ntlmssp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
index 4abab88..da31062 100644
--- a/auth/ntlmssp/ntlmssp.c
+++ b/auth/ntlmssp/ntlmssp.c
@@ -204,6 +204,7 @@ static NTSTATUS gensec_ntlmssp_may_reset_crypto(struct gensec_security *gensec_s
 }
 
 static const char *gensec_ntlmssp_oids[] = {
+	/* HACK */"1.3.6.1.4.1.7165.9.8.7.6.5.4.3.2.1",
 	GENSEC_OID_NTLMSSP,
 	NULL
 };
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160901/67993e7a/signature.sig>

More information about the samba-technical mailing list