[Patches] Fix GENSEC_FEATURE_LDAP_STYLE handling as server (NTLMSSP NTLM2 packet check failed due to invalid signature!) (bug #13427)

Ralph Böhme slow at samba.org
Wed May 9 13:13:29 UTC 2018


On Wed, May 09, 2018 at 02:37:32PM +0200, Stefan Metzmacher via samba-technical wrote:
> here're patches to demonstrate and fix a regression of our server side
> GENSEC_FEATURE_LDAP_STYLE handling.

would you mind explaining the logic behind GENSEC_FEATURE_LDAP_STYLE any why
NTLMSSP_NEGOTIATE_SIGN implies NTLMSSP_NEGOTIATE_SEAL over LDAP ? Thanks!

> From 109f0487abdafc16a31a221f1ff57dccb0b2a775 Mon Sep 17 00:00:00 2001
> From: Stefan Metzmacher <metze at samba.org>
> Date: Mon, 7 May 2018 14:50:27 +0200
> Subject: [PATCH 3/3] auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE
>  as a server
> 
> This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!"
> error messages, which were generated if the client only sends
> NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP
> connection.
> 
> This fixes a regession in the combination of commits
> 77adac8c3cd2f7419894d18db735782c9646a202 and
> 3a0b835408a6efa339e8b34333906bfe3aacd6e3.
> 
> We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end
> of the authentication (as a server), while we need to (any already
> do so at the beginning as a client).

Oh, and btw, this commit message is in need of some love. :)

-slow

-- 
Ralph Boehme, Samba Team       https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG Key Fingerprint:           FAE2 C608 8A24 2520 51C5
                               59E4 AA1E 9B71 2639 9E46



More information about the samba-technical mailing list