ntlmssp errors against El Capitan's SMB Server

[Jeremy Allison]

On Thu, Sep 01, 2016 at 09:34:05PM +0200, Stefan Metzmacher wrote:
> Am 01.09.2016 um 20:57 schrieb Jeremy Allison:
> > On Thu, Sep 01, 2016 at 03:02:06PM +0200, Stefan Metzmacher wrote:
> >>
> >> These don't work as Jeremy's original patch also doesn't (at for me).
> > 
> > Not surprised, my patch was deduced by "PURE LOGIC (tm)" without
> > access to an El Capitan server :-). I'm trying to get access to
> > one to figure out the exact details.
> > 
> >> The HACK patch with the unknown OID is rejected with LOGON_FAILURE
> >> by the Apple server, while the downgrade to the known NTLMSSP oid
> >> works as expected against Windows.
> >>
> >> The attached patch (tmp.diff.txt) fixes the problem for me against
> >> an Apple server, can anyone test against Azure?
> > 
> > Did you test this patch running against the Apple server with
> > smbclient requiring SMB signing ? With this patch that will fail
> > right ?
> > 
> > (we'll still expect the mechListMic and the server doesn't
> > ever send it).
> > 
> >> The new "HACK: source3/libsmb/cliconnect.c require GENSEC_FEATURE_SIGN"
> >> patch
> >> shows that still trigger the ACCESS_DENIED if GENSEC_FEATURE_SIGN is
> >> requested.
> > 
> > Does the Windows client fail against the Apple server is signing
> > is required ? Or do they enforce a mechListMic check in this case ?
> 
> SMB signing uses just GENSEC_FEATURE_SESSION_KEY and not
> GENSEC_FEATURE_SIGN,
> so I don't think there're any difference with SMB signing,
> but I'll test that tomorrow against Ralph's apple server.

Yep, just went through the code logic and figured that out
myself :-). Sorry for the noise :-).

> So with tmp.diff.txt (alone) it all worked against it with SMB1 and SMB3,
> without required signing.

Once we've checked that SMB sign+seal works also I
think we can push your patch. Thanks for the tests !