[Patches] Fix GENSEC_FEATURE_LDAP_STYLE handling as server (NTLMSSP NTLM2 packet check failed due to invalid signature!) (bug #13427)
Andrew Bartlett
abartlet at samba.org
Mon May 14 10:02:14 UTC 2018
On Wed, 2018-05-09 at 15:13 +0200, Ralph Böhme via samba-technical
wrote:
> On Wed, May 09, 2018 at 02:37:32PM +0200, Stefan Metzmacher via samba-technical wrote:
> > here're patches to demonstrate and fix a regression of our server side
> > GENSEC_FEATURE_LDAP_STYLE handling.
>
> would you mind explaining the logic behind GENSEC_FEATURE_LDAP_STYLE any why
> NTLMSSP_NEGOTIATE_SIGN implies NTLMSSP_NEGOTIATE_SEAL over LDAP ? Thanks!
>
> > From 109f0487abdafc16a31a221f1ff57dccb0b2a775 Mon Sep 17 00:00:00 2001
> > From: Stefan Metzmacher <metze at samba.org>
> > Date: Mon, 7 May 2018 14:50:27 +0200
> > Subject: [PATCH 3/3] auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE
> > as a server
> >
> > This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!"
> > error messages, which were generated if the client only sends
> > NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP
> > connection.
> >
> > This fixes a regession in the combination of commits
> > 77adac8c3cd2f7419894d18db735782c9646a202 and
> > 3a0b835408a6efa339e8b34333906bfe3aacd6e3.
> >
> > We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end
> > of the authentication (as a server), while we need to (any already
> > do so at the beginning as a client).
>
> Oh, and btw, this commit message is in need of some love. :)
G'Day,
I'm sorry, but I'm with Ralph on this one. I tried to make sense of
what is going on here, but I can't. Can you explain this a with a bit
more background?
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list