ntlmssp errors against El Capitan's SMB Server

Stefan Metzmacher metze at samba.org
Thu Sep 1 13:02:06 UTC 2016 

Am 01.09.2016 um 08:25 schrieb Stefan Metzmacher:
> Am 31.08.2016 um 23:18 schrieb Jeremy Allison:
>> On Wed, Aug 31, 2016 at 10:56:02PM +0200, Christian Ambach wrote:
>>> Am 31.08.16 um 18:13 schrieb Simo:
>>>
>>>> I would call it just "SPNEGO_REQUIRE_SERVER_MIC" (instead of SMB_STYLE)
>>>> and allow the SMB code paths to set it to No, the default should be to
>>>> require it. The name should reflect what the knob actually wants and
>>>> not where we actually use it this time, it'd be awkward and confusing
>>>> to set "SMB_STYLE" if we figure we need to use it on another protocol.
>>>
>>> I think that most of the ordinary users of libsmbclient would prefer
>>> that the checks are relaxed in the default configuration. For security
>>> sensitive connections from Samba processes, we can set a flag that
>>> enforces the check.
>>
>> OK - here is a patchset for bug:
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=11994
>>
>> "smbclient fails to connect to Azure share spnego fails with no mechListMIC"
>>
>> which already existed. Christian can you test this version please ?
>>
>> I've everyone is happy I'll push.
> 
> I just realized that me most likely don't need the extra
> GENSEC_FEATURE_SPENGO_IGNORE_SERVER_MIC.
> 
> The thing is that gensec_have_feature(GENSEC_FEATURE_SIGN) returns
> true, while we just ask for GENSEC_FEATURE_SESSION_KEY.
> 
> Ambi, can you some tests with each of the attached patches?
> And with both of them applied? So I'd like to see captures of all 3
> combinations together with their smbclient -d10 output.

These don't work as Jeremy's original patch also doesn't (at for me).

The HACK patch with the unknown OID is rejected with LOGON_FAILURE
by the Apple server, while the downgrade to the known NTLMSSP oid
works as expected against Windows.

The attached patch (tmp.diff.txt) fixes the problem for me against
an Apple server, can anyone test against Azure?

The new "HACK: source3/libsmb/cliconnect.c require GENSEC_FEATURE_SIGN"
patch
shows that still trigger the ACCESS_DENIED if GENSEC_FEATURE_SIGN is
requested.

metze
-------------- next part --------------
From 4f345c116ef78d8ed4cad7964bae4f8088e28caf Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 1 Sep 2016 08:08:23 +0200
Subject: [PATCH] gensec/spnego: work around missing server mechListMIC in SMB
 servers

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11994

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 auth/gensec/spnego.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 68 insertions(+), 1 deletion(-)

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index ef30ab7..5f5047a 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -55,9 +55,11 @@ struct spnego_state {
 
 	DATA_BLOB mech_types;
 	size_t num_targs;
+	bool downgraded;
 	bool mic_requested;
 	bool needs_mic_sign;
 	bool needs_mic_check;
+	bool may_skip_mic_check;
 	bool done_mic_check;
 
 	bool simulate_w2k;
@@ -434,6 +436,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
 					 * Indicate the downgrade and request a
 					 * mic.
 					 */
+					spnego_state->downgraded = true;
 					spnego_state->mic_requested = true;
 					break;
 				}
@@ -1078,7 +1081,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 			DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
 				 gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid),
 				 gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech)));
-
+			spnego_state->downgraded = true;
 			spnego_state->no_response_expected = false;
 			talloc_free(spnego_state->sub_sec_security);
 			nt_status = gensec_subcontext_start(spnego_state,
@@ -1135,6 +1138,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 				return NT_STATUS_INVALID_PARAMETER;
 			}
 
+			if (spnego.negTokenTarg.mechListMIC.length == 0
+			    && spnego_state->may_skip_mic_check) {
+				/*
+				 * In this case we don't require
+				 * a mechListMIC from the server.
+				 *
+				 * This works around bugs in the Azure
+				 * and Apple spnego implementations.
+				 *
+				 * See
+				 * https://bugzilla.samba.org/show_bug.cgi?id=11994
+				 */
+				spnego_state->needs_mic_check = false;
+				nt_status = NT_STATUS_OK;
+				goto client_response;
+			}
+
 			nt_status = gensec_check_packet(spnego_state->sub_sec_security,
 							spnego_state->mech_types.data,
 							spnego_state->mech_types.length,
@@ -1190,9 +1210,56 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 					 */
 					new_spnego = false;
 				}
+
 				break;
 
 			case SPNEGO_ACCEPT_INCOMPLETE:
+				if (spnego.negTokenTarg.mechListMIC.length > 0) {
+					new_spnego = true;
+					break;
+				}
+
+				if (spnego_state->downgraded) {
+					/*
+					 * A downgrade should be protected if
+					 * supported
+					 */
+					break;
+				}
+
+				/*
+				 * The caller may just asked for
+				 * GENSEC_FEATURE_SESSION_KEY, this
+				 * is only reflected in the want_features.
+				 *
+				 * As it will imply
+				 * gensec_have_features(GENSEC_FEATURE_SIGN)
+				 * to return true.
+				 */
+				if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
+					break;
+				}
+				if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
+					break;
+				}
+				/*
+				 * Here we're sure our preferred mech was
+				 * selected by the server and our caller doesn't
+				 * need GENSEC_FEATURE_SIGN nor
+				 * GENSEC_FEATURE_SEAL support.
+				 *
+				 * In this case we don't require
+				 * a mechListMIC from the server.
+				 *
+				 * This works around bugs in the Azure
+				 * and Apple spnego implementations.
+				 *
+				 * See
+				 * https://bugzilla.samba.org/show_bug.cgi?id=11994
+				 */
+				spnego_state->may_skip_mic_check = true;
+				break;
+
 			case SPNEGO_REQUEST_MIC:
 				if (spnego.negTokenTarg.mechListMIC.length > 0) {
 					new_spnego = true;
-- 
1.9.1

-------------- next part --------------
From 23b8aa8350224cb7121bd7a5ff8cfb1d2d21f197 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Thu, 1 Sep 2016 14:51:22 +0200
Subject: [PATCH] HACK: source3/libsmb/cliconnect.c require GENSEC_FEATURE_SIGN

---
 source3/libsmb/cliconnect.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 9c8851f..fe8fd4d 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1348,6 +1348,8 @@ static struct tevent_req *cli_session_setup_gensec_send(
 
 	gensec_want_feature(state->auth_generic->gensec_security,
 			    GENSEC_FEATURE_SESSION_KEY);
+	gensec_want_feature(state->auth_generic->gensec_security,
+			    GENSEC_FEATURE_SIGN);
 	if (cli->use_ccache) {
 		gensec_want_feature(state->auth_generic->gensec_security,
 				    GENSEC_FEATURE_NTLM_CCACHE);
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160901/98b01e8a/signature.sig>

More information about the samba-technical mailing list