The branch, master has been updated
via 711a420 selftest: Add test for GSSAPI with no authenticator
checksum mode
via ddee603 heimdal/gssapi: Allow a NULL authenticator
via 6224ac9 gensec: Add an option emulating another mode a client
building GSSAPI/krb5 manually uses
from 78075cf waf: Add talloc as a dependency
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 711a420eef90026bc08c8630a8ccd0e0a78207ef
Author: Andrew Bartlett <[email protected]>
Date: Fri Jun 26 19:15:31 2015 +1200
selftest: Add test for GSSAPI with no authenticator checksum mode
This was seen in the wild, with a Huawei Unified Storage System S5500 V3
against the AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11425
Signed-off-by: Andrew Bartlett <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Autobuild-User(master): Andrew Bartlett <[email protected]>
Autobuild-Date(master): Wed Aug 5 09:43:40 CEST 2015 on sn-devel-104
commit ddee603b5e5325129ffacbfb18a260a3d807a6e1
Author: Andrew Bartlett <[email protected]>
Date: Fri Jun 26 19:14:56 2015 +1200
heimdal/gssapi: Allow a NULL authenticator
Some non-GSSAPI implementations that instead try to create compatible
packets by wrapping krb5_mk_req()
can trigger a NULL authenticator here. Assume this to be equvilent to
specifying an all-zero
channel bindings and some reasonable (fixed) flags.
This was seen in the wild, with a Huawei Unified Storage System S5500 V3
against the AD DC
Original patch by Andrew Bartlett, restructured by Douglas Bagnall
Cherry-picked from upstream GIT 0a5de96d72cdea9e465412d7dba1e5d13e53dc09
which is the merge of https://github.com/heimdal/heimdal/pull/134
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11425
Signed-off-by: Andrew Bartlett <[email protected]>
Signed-off-by: Douglas Bagnall <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
commit 6224ac9cf4b04aa64fa2ee13267b76598319b042
Author: Andrew Bartlett <[email protected]>
Date: Fri Jun 26 19:14:13 2015 +1200
gensec: Add an option emulating another mode a client building GSSAPI/krb5
manually uses
This was seen in the wild, with a Huawei Unified Storage System S5500 V3
against the AD DC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11425
Signed-off-by: Andrew Bartlett <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source4/auth/gensec/gensec_krb5.c | 13 ++--
.../heimdal/lib/gssapi/krb5/accept_sec_context.c | 71 +++++++++++-----------
source4/selftest/tests.py | 1 +
3 files changed, 45 insertions(+), 40 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/gensec/gensec_krb5.c
b/source4/auth/gensec/gensec_krb5.c
index b1ecd18..23c26f6 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -285,9 +285,15 @@ static NTSTATUS gensec_krb5_common_client_creds(struct
gensec_security *gensec_s
const char *error_string;
const char *principal;
const char *hostname;
- krb5_data in_data;
+ krb5_data in_data = { .length = 0 };
+ krb5_data *in_data_p = NULL;
struct tevent_context *previous_ev;
+ if (lpcfg_parm_bool(gensec_security->settings->lp_ctx,
+ NULL, "gensec_krb5", "send_authenticator_checksum",
true)) {
+ in_data_p = &in_data;
+ }
+
gensec_krb5_state = (struct gensec_krb5_state
*)gensec_security->private_data;
principal = gensec_get_target_principal(gensec_security);
@@ -313,7 +319,6 @@ static NTSTATUS gensec_krb5_common_client_creds(struct
gensec_security *gensec_s
DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials
failed: %s\n", error_string));
return NT_STATUS_UNSUCCESSFUL;
}
- in_data.length = 0;
/* Do this every time, in case we have weird recursive issues here */
ret =
smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev,
&previous_ev);
@@ -330,7 +335,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct
gensec_security *gensec_s
&gensec_krb5_state->auth_context,
gensec_krb5_state->ap_req_options,
target_principal,
- &in_data,
ccache_container->ccache,
+ in_data_p,
ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
target_principal);
@@ -341,7 +346,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct
gensec_security *gensec_s
gensec_krb5_state->ap_req_options,
gensec_get_target_service(gensec_security),
hostname,
- &in_data, ccache_container->ccache,
+ in_data_p, ccache_container->ccache,
&gensec_krb5_state->enc_ticket);
}
diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
index 5a00e12..cfe27ac 100644
--- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
@@ -510,13 +510,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
return ret;
}
- if (authenticator->cksum == NULL) {
- krb5_free_authenticator(context, &authenticator);
- *minor_status = 0;
- return GSS_S_BAD_BINDINGS;
- }
-
- if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
+ if (authenticator->cksum != NULL
+ && authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
ret = _gsskrb5_verify_8003_checksum(minor_status,
input_chan_bindings,
authenticator->cksum,
@@ -528,44 +523,48 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
return ret;
}
} else {
- krb5_crypto crypto;
-
- kret = krb5_crypto_init(context,
- ctx->auth_context->keyblock,
- 0, &crypto);
- if(kret) {
+ if (authenticator->cksum != NULL) {
+ krb5_crypto crypto;
+
+ kret = krb5_crypto_init(context,
+ ctx->auth_context->keyblock,
+ 0, &crypto);
+ if(kret) {
+ krb5_free_authenticator(context, &authenticator);
+
+ ret = GSS_S_FAILURE;
+ *minor_status = kret;
+ return ret;
+ }
+
+ /*
+ * Windows accepts Samba3's use of a kerberos, rather than
+ * GSSAPI checksum here
+ */
+
+ kret = krb5_verify_checksum(context,
+ crypto, KRB5_KU_AP_REQ_AUTH_CKSUM,
NULL, 0,
+ authenticator->cksum);
krb5_free_authenticator(context, &authenticator);
+ krb5_crypto_destroy(context, crypto);
- ret = GSS_S_FAILURE;
- *minor_status = kret;
- return ret;
+ if(kret) {
+ ret = GSS_S_BAD_SIG;
+ *minor_status = kret;
+ return ret;
+ }
}
/*
- * Windows accepts Samba3's use of a kerberos, rather than
- * GSSAPI checksum here
+ * If there is no checksum or a kerberos checksum (which Windows
+ * and Samba accept), we use the ap_options to guess the mutual
+ * flag.
*/
- kret = krb5_verify_checksum(context,
- crypto, KRB5_KU_AP_REQ_AUTH_CKSUM,
NULL, 0,
- authenticator->cksum);
- krb5_free_authenticator(context, &authenticator);
- krb5_crypto_destroy(context, crypto);
-
- if(kret) {
- ret = GSS_S_BAD_SIG;
- *minor_status = kret;
- return ret;
- }
-
- /*
- * Samba style get some flags (but not DCE-STYLE), use
- * ap_options to guess the mutual flag.
- */
- ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+ ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
if (ap_options & AP_OPTS_MUTUAL_REQUIRED)
ctx->flags |= GSS_C_MUTUAL_FLAG;
- }
+ }
}
if(ctx->flags & GSS_C_MUTUAL_FLAG) {
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 6a30164..3bc820c 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -185,6 +185,7 @@ for env in ["ad_dc_ntvfs", "fl2000dc", "fl2003dc",
"fl2008r2dc", "ad_dc"]:
plansmbtorture4testsuite('rpc.lsa.secrets', env,
["%s:$SERVER[target_principal=$NETBIOSNAME\$]" % (transport, ), '-k', 'yes',
'-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.lsa.secrets on %s
with Kerberos - netbios name principal dollar" % (transport,))
plansmbtorture4testsuite('rpc.lsa.secrets', env,
["%s:$SERVER[target_principal=$NETBIOSNAME]" % (transport, ), '-k', 'yes',
'-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.lsa.secrets on %s
with Kerberos - netbios name principal" % (transport,))
plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" %
transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN',
"--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no',
'--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s
with Kerberos - use Samba3 style login" % transport)
+ plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" %
transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN',
"--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no',
'--option=gensec:target_hostname=$NETBIOSNAME',
'--option=gensec_krb5:send_authenticator_checksum=false'],
"samba4.rpc.lsa.secrets on %s with Kerberos - use
raw-krb5-no-authenticator-checksum style login" % transport)
plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" %
transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN',
"--option=clientusespnegoprincipal=yes",
'--option=gensec:fake_gssapi_krb5=yes', '--option=gensec:gssapi_krb5=no',
'--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s
with Kerberos - use Samba3 style login, use target principal" % transport)
# Winreg tests test bulk Kerberos encryption of DCE/RPC
--
Samba Shared Repository
