The branch, master has been updated via eee88e0 s3:selftest: add smbclient_ntlm tests via 4de4338 selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP via 587b5db selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes via 7091033 s3:test_smbclient_auth.sh: this script reqiures 5 arguments via b8055cb selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc via 7a2cb2c auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testing via db9c01a auth/spnego: add spnego:simulate_w2k option for testing via d667520 auth/ntlmssp: do map to guest checking after the authentication via 79a7154 s3:smbd: only mark real guest sessions with the GUEST flag via 25ce978 s3:smbd: make use SMB_SETUP_GUEST constant via 837e617 libcli/security: implement SECURITY_GUEST via ead483b s3:auth_builtin: anonymous authentication doesn't allow a password via d247dce s4:auth_anonymous: anonymous authentication doesn't allow a password via 6546295 auth/spnego: only try to verify the mechListMic if signing was negotiated. via e72ad19 s3:libsmb: use anonymous authentication via spnego if possible via fa57992 s3:libsmb: don't finish the gensec handshake for guest logins via 02c9021 s3:libsmb: record the session setup action flags via 8f4a4be libcli/smb: add smbXcli_session_is_guest() helper function via cceaa61 libcli/smb: add SMB1 session setup action flags via e6f9e17 libcli/smb: add smb1cli_session_set_action() helper function via 8e016ff libcli/smb: fix NULL pointer derreference in smbXcli_session_is_authenticated(). via 53be474 s3:libsmb: use password = NULL for anonymous connections via d97b347 auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections via 5041adb auth/ntlmssp: don't require any flags in the ccache_resume code via 032c273 auth/spnego: handle broken mechListMIC response from Windows 2000 via 9930bd1 auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR' via b659503 s3:librpc:crypto:gse: increase debug level for gse_init_client(). via 95b8b02 lib:krb5_wrap:krb5_samba: increase debug level for smb_krb5_get_default_realm_from_ccache(). via 795e796 s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff via 8704958 s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff from 4158729 selfttest: add common_test_fns.inc
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit eee88e07b3e68efb467b390536eea4155b5ced7e Author: Stefan Metzmacher <me...@samba.org> Date: Mon Apr 25 16:12:47 2016 +0200 s3:selftest: add smbclient_ntlm tests We test all combinations of NT1 with and without spnego and SMB3 for user, anonymous and guest authentication. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Thu Apr 28 20:16:45 CEST 2016 on sn-devel-144 commit 4de43387235cb17a185fdd1afd658972e8c174ef Author: Stefan Metzmacher <me...@samba.org> Date: Mon Apr 25 16:02:22 2016 +0200 selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 587b5db7979c1ca1055f5bfd81ab79606cd3c2dd Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 27 01:00:14 2016 +0200 selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 70910334caa176bf98fece7d638ed599979dc173 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 26 11:33:52 2016 +0200 s3:test_smbclient_auth.sh: this script reqiures 5 arguments BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit b8055cb42cadf48367867213a35635f3391c9b8d Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 26 08:50:00 2016 +0200 selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 7a2cb2c97611171613fc677a534277839348c56f Author: Stefan Metzmacher <me...@samba.org> Date: Mon Apr 25 15:58:27 2016 +0200 auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testing BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit db9c01a51975a0a3ec2564357617958c2f466091 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Apr 25 14:45:55 2016 +0200 auth/spnego: add spnego:simulate_w2k option for testing BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit d667520568996471b55007a42b503edbabb1eee0 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 20 18:27:34 2016 +0200 auth/ntlmssp: do map to guest checking after the authentication BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 79a71545bfc87525c6ba6c8fe9fa7d8a9da33441 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 20 16:34:28 2016 +0200 s3:smbd: only mark real guest sessions with the GUEST flag Real anonymous sessions don't get it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 25ce97892ad3ce5028e4dbbbdd844ef6619ac396 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Apr 18 17:36:56 2016 +0200 s3:smbd: make use SMB_SETUP_GUEST constant BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 837e6176329330893d5a1e4ce4ac67dbac758e56 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 20 16:29:42 2016 +0200 libcli/security: implement SECURITY_GUEST SECURITY_GUEST is not exactly the same as SECURITY_ANONYMOUS. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit ead483b0c0ec746c0869162024c97f2e08df7f4b Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 27 01:48:32 2016 +0200 s3:auth_builtin: anonymous authentication doesn't allow a password BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit d247dceaaab24b568425f2360e40f5e91be452cc Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 27 01:44:56 2016 +0200 s4:auth_anonymous: anonymous authentication doesn't allow a password BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 65462958522baee6eedcedd4193cfcc8cf0f510e Author: Stefan Metzmacher <me...@samba.org> Date: Fri Apr 22 10:04:38 2016 +0200 auth/spnego: only try to verify the mechListMic if signing was negotiated. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit e72ad193a53e20b769f798d02c0610f91859bd38 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 19 07:33:03 2016 +0200 s3:libsmb: use anonymous authentication via spnego if possible This makes the authentication consistent between SMB1 with CAP_EXTENDED_SECURITY (introduced in Windows 2000) and SNB2. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit fa5799207e55ee8e329f36f784d027845eaf0e34 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 19 07:20:28 2016 +0200 s3:libsmb: don't finish the gensec handshake for guest logins BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 02c902103521e5a2b1d221db83e6c59d0ce31099 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 19 07:19:19 2016 +0200 s3:libsmb: record the session setup action flags BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 8f4a4bec089b46bbeb0e0f37bb682acb88702bf2 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Apr 18 17:38:46 2016 +0200 libcli/smb: add smbXcli_session_is_guest() helper function BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit cceaa61cf064926baca6db4b303d34ea90d40d52 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Apr 18 17:34:21 2016 +0200 libcli/smb: add SMB1 session setup action flags BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit e6f9e176f2bb0e3e7451ac58e84ff55328219fcd Author: Stefan Metzmacher <me...@samba.org> Date: Mon Apr 18 17:33:11 2016 +0200 libcli/smb: add smb1cli_session_set_action() helper function BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 8e016ffeb01167bb8dec66cf9e4bc8605461c15a Author: Günther Deschner <g...@samba.org> Date: Wed Apr 20 20:09:53 2016 +0200 libcli/smb: fix NULL pointer derreference in smbXcli_session_is_authenticated(). Guenther BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841 Signed-off-by: Guenther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 53be47410236ef7c90fe895f49f300e3fe47a8bf Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 19 07:31:50 2016 +0200 s3:libsmb: use password = NULL for anonymous connections BUG: https://bugzilla.samba.org/show_bug.cgi?id=11858 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit d97b347d041f9b5c0aa71f35526cbefd56f3500b Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 20 18:44:21 2016 +0200 auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections Enforcement of SMB signing is done at the SMB layer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 5041adb6657596399049a33e6a739a040b4df0db Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 20 18:44:21 2016 +0200 auth/ntlmssp: don't require any flags in the ccache_resume code ntlmssp_client_challenge() already checks for required flags before asking winbindd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 032c2733dea834e2c95178cdd0deb73e7bb13621 Author: Stefan Metzmacher <me...@samba.org> Date: Sat Apr 23 05:17:25 2016 +0200 auth/spnego: handle broken mechListMIC response from Windows 2000 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11870 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 9930bd17f2d39e4be1e125f83f7de489a94ea1d1 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 28 12:26:16 2016 +0200 auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit request: NT_STATUS_INTERNAL_ERROR' BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit b6595037f3fcaafb957d9c08edfb89c72cded987 Author: Günther Deschner <g...@samba.org> Date: Thu Apr 28 12:58:33 2016 +0200 s3:librpc:crypto:gse: increase debug level for gse_init_client(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 Guenther Signed-off-by: Guenther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 95b8b020626ba58a77a21e3da804bac2f0cf90b1 Author: Günther Deschner <g...@samba.org> Date: Thu Apr 28 12:58:10 2016 +0200 lib:krb5_wrap:krb5_samba: increase debug level for smb_krb5_get_default_realm_from_ccache(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 Guenther Signed-off-by: Guenther Deschner <g...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 795e796658e6da0149c9c00ece7cca4ccc457717 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Apr 22 16:31:55 2016 +0200 s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 8704958fb3b212b401a8e7d94fdd9c627adbde0d Author: Stefan Metzmacher <me...@samba.org> Date: Fri Apr 22 16:18:24 2016 +0200 s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/gensec/spnego.c | 66 +++++++++++++++++---- auth/ntlmssp/gensec_ntlmssp_server.c | 15 ++--- auth/ntlmssp/ntlmssp_client.c | 15 ++--- auth/ntlmssp/ntlmssp_server.c | 40 +++++++++++++ lib/krb5_wrap/krb5_samba.c | 4 +- libcli/security/security_token.c | 5 ++ libcli/security/security_token.h | 2 + libcli/security/session.c | 4 ++ libcli/security/session.h | 1 + libcli/smb/smbXcli_base.c | 35 +++++++++++ libcli/smb/smbXcli_base.h | 3 + libcli/smb/smb_constants.h | 6 ++ selftest/target/Samba.pm | 13 ++++ selftest/target/Samba4.pm | 23 +++++++- source3/auth/auth_builtin.c | 47 ++++++++++++--- source3/libads/sasl.c | 4 +- source3/librpc/crypto/gse.c | 2 +- source3/libsmb/cliconnect.c | 92 +++++++++++++++++++++-------- source3/script/tests/test_smbclient_auth.sh | 2 +- source3/script/tests/test_smbclient_ntlm.sh | 40 +++++++++++++ source3/selftest/tests.py | 4 +- source3/smbd/sesssetup.c | 12 ++-- source3/smbd/smb2_sesssetup.c | 7 ++- source4/auth/gensec/gensec_tstream.c | 6 +- source4/auth/ntlm/auth_anonymous.c | 30 ++++++++++ 25 files changed, 399 insertions(+), 79 deletions(-) create mode 100755 source3/script/tests/test_smbclient_ntlm.sh Changeset truncated at 500 lines: diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c index 2922478..3962d72 100644 --- a/auth/gensec/spnego.c +++ b/auth/gensec/spnego.c @@ -59,6 +59,8 @@ struct spnego_state { bool needs_mic_check; bool done_mic_check; + bool simulate_w2k; + /* * The following is used to implement * the update token fragmentation @@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi spnego_state->out_max_length = gensec_max_update_size(gensec_security); spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED; + spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, + "spnego", "simulate_w2k", false); + gensec_security->private_data = spnego_state; return NT_STATUS_OK; } @@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi spnego_state->out_max_length = gensec_max_update_size(gensec_security); spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED; + spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings, + "spnego", "simulate_w2k", false); + gensec_security->private_data = spnego_state; return NT_STATUS_OK; } @@ -661,7 +669,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec talloc_free(spnego_state->sub_sec_security); spnego_state->sub_sec_security = NULL; - DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status))); + DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status))); return nt_status; } @@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA spnego.negTokenInit.mechToken, &unwrapped_out); + if (spnego_state->simulate_w2k) { + /* + * Windows 2000 returns the unwrapped token + * also in the mech_list_mic field. + * + * In order to verify our client code, + * we need a way to have a server with this + * broken behaviour + */ + mech_list_mic = unwrapped_out; + } + nt_status = gensec_spnego_server_negTokenTarg(spnego_state, out_mem_ctx, nt_status, unwrapped_out, - null_data_blob, + mech_list_mic, out); spnego_free_data(&spnego); @@ -885,6 +905,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA case SPNEGO_SERVER_TARG: { NTSTATUS nt_status; + bool have_sign = true; bool new_spnego = false; if (!in.length) { @@ -947,18 +968,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA goto server_response; } + have_sign = gensec_have_feature(spnego_state->sub_sec_security, + GENSEC_FEATURE_SIGN); + if (spnego_state->simulate_w2k) { + have_sign = false; + } new_spnego = gensec_have_feature(spnego_state->sub_sec_security, GENSEC_FEATURE_NEW_SPNEGO); if (spnego.negTokenTarg.mechListMIC.length > 0) { new_spnego = true; } - if (new_spnego) { + if (have_sign && new_spnego) { spnego_state->needs_mic_check = true; spnego_state->needs_mic_sign = true; } - if (spnego.negTokenTarg.mechListMIC.length > 0) { + if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) { nt_status = gensec_check_packet(spnego_state->sub_sec_security, spnego_state->mech_types.data, spnego_state->mech_types.length, @@ -1078,6 +1104,24 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } if (spnego.negTokenTarg.mechListMIC.length > 0) { + DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC; + const DATA_BLOB *r = &spnego.negTokenTarg.responseToken; + + /* + * Windows 2000 has a bug, it repeats the + * responseToken in the mechListMIC field. + */ + if (m->length == r->length) { + int cmp; + + cmp = memcmp(m->data, r->data, m->length); + if (cmp == 0) { + data_blob_free(m); + } + } + } + + if (spnego.negTokenTarg.mechListMIC.length > 0) { if (spnego_state->no_response_expected) { spnego_state->needs_mic_check = true; } @@ -1124,8 +1168,14 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA if (spnego_state->no_response_expected && !spnego_state->done_mic_check) { + bool have_sign = true; bool new_spnego = false; + have_sign = gensec_have_feature(spnego_state->sub_sec_security, + GENSEC_FEATURE_SIGN); + if (spnego_state->simulate_w2k) { + have_sign = false; + } new_spnego = gensec_have_feature(spnego_state->sub_sec_security, GENSEC_FEATURE_NEW_SPNEGO); @@ -1152,16 +1202,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA } if (spnego_state->mic_requested) { - bool sign; - - sign = gensec_have_feature(spnego_state->sub_sec_security, - GENSEC_FEATURE_SIGN); - if (sign) { + if (have_sign) { new_spnego = true; } } - if (new_spnego) { + if (have_sign && new_spnego) { spnego_state->needs_mic_check = true; spnego_state->needs_mic_sign = true; } diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c index ca19863..99cedd0 100644 --- a/auth/ntlmssp/gensec_ntlmssp_server.c +++ b/auth/ntlmssp/gensec_ntlmssp_server.c @@ -131,20 +131,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) ntlmssp_state->allow_lm_key = true; } - if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) { - /* - * map to guest is not secure anyway, so - * try to make it work and don't try to - * negotiate new_spnego and MIC checking - */ - ntlmssp_state->force_old_spnego = true; - } + ntlmssp_state->force_old_spnego = false; - if (role == ROLE_ACTIVE_DIRECTORY_DC) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) { /* - * map to guest is not supported on an AD DC. + * For testing Windows 2000 mode */ - ntlmssp_state->force_old_spnego = false; + ntlmssp_state->force_old_spnego = true; } ntlmssp_state->neg_flags = diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index b419615..5edd5f4 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security, if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) { gensec_security->want_features |= GENSEC_FEATURE_SIGN; - - ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; } if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) { gensec_security->want_features |= GENSEC_FEATURE_SEAL; - - ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; - ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; } - ntlmssp_state->neg_flags |= ntlmssp_state->required_flags; ntlmssp_state->conf_flags = ntlmssp_state->neg_flags; + ntlmssp_state->required_flags = 0; if (DEBUGLEVEL >= 10) { struct NEGOTIATE_MESSAGE *negotiate = talloc( @@ -789,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx); + ntlmssp_state->force_old_spnego = gensec_setting_bool(gensec_security->settings, + "ntlmssp_client", "force_old_spnego", false); + ntlmssp_state->expected_state = NTLMSSP_INITIAL; ntlmssp_state->neg_flags = @@ -848,8 +846,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) * Without this, Windows will not create the master key * that it thinks is only used for NTLMSSP signing and * sealing. (It is actually pulled out and used directly) + * + * We don't require this here as some servers (e.g. NetAPP) + * doesn't support this. */ - ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; } if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN; diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c index 17d5ade..ddee875 100644 --- a/auth/ntlmssp/ntlmssp_server.c +++ b/auth/ntlmssp/ntlmssp_server.c @@ -31,6 +31,9 @@ #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_internal.h" #include "auth/common_auth.h" +#include "param/param.h" +#include "param/loadparm.h" +#include "libcli/security/session.h" /** * Determine correct target name flags for reply, given server role @@ -700,6 +703,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; struct auth4_context *auth_context = gensec_security->auth_context; NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; + struct auth_session_info *session_info = NULL; struct auth_usersupplied_info *user_info; user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info); @@ -736,6 +740,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec NT_STATUS_NOT_OK_RETURN(nt_status); + if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST + && auth_context->generate_session_info != NULL) + { + NTSTATUS tmp_status; + + /* + * We need to check if the auth is anonymous or mapped to guest + */ + tmp_status = auth_context->generate_session_info(auth_context, mem_ctx, + gensec_ntlmssp->server_returned_info, + gensec_ntlmssp->ntlmssp_state->user, + AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, + &session_info); + if (!NT_STATUS_IS_OK(tmp_status)) { + /* + * We don't care about failures, + * the worst result is that we try MIC checking + * for a map to guest authentication. + */ + TALLOC_FREE(session_info); + } + } + + if (session_info != NULL) { + if (security_session_user_level(session_info, NULL) < SECURITY_USER) { + /* + * Anonymous and GUEST are not secure anyway. + * avoid new_spnego and MIC checking. + */ + ntlmssp_state->new_spnego = false; + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL; + } + TALLOC_FREE(session_info); + } + talloc_steal(mem_ctx, user_session_key->data); talloc_steal(mem_ctx, lm_session_key->data); diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c index d1e60eb..3cb1cee 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c @@ -2745,12 +2745,12 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx) "Trying to read krb5 cache: %s\n", krb5_cc_default_name(ctx))); if (krb5_cc_default(ctx, &cc)) { - DEBUG(0,("kerberos_get_default_realm_from_ccache: " + DEBUG(5,("kerberos_get_default_realm_from_ccache: " "failed to read default cache\n")); goto out; } if (krb5_cc_get_principal(ctx, cc, &princ)) { - DEBUG(0,("kerberos_get_default_realm_from_ccache: " + DEBUG(5,("kerberos_get_default_realm_from_ccache: " "failed to get default principal\n")); goto out; } diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c index 6812d42..2e5a87b 100644 --- a/libcli/security/security_token.c +++ b/libcli/security/security_token.c @@ -130,6 +130,11 @@ bool security_token_has_sid_string(const struct security_token *token, const cha return ret; } +bool security_token_has_builtin_guests(const struct security_token *token) +{ + return security_token_has_sid(token, &global_sid_Builtin_Guests); +} + bool security_token_has_builtin_administrators(const struct security_token *token) { return security_token_has_sid(token, &global_sid_Builtin_Administrators); diff --git a/libcli/security/security_token.h b/libcli/security/security_token.h index b8ca990..5c5b30b 100644 --- a/libcli/security/security_token.h +++ b/libcli/security/security_token.h @@ -51,6 +51,8 @@ bool security_token_has_sid(const struct security_token *token, const struct dom bool security_token_has_sid_string(const struct security_token *token, const char *sid_string); +bool security_token_has_builtin_guests(const struct security_token *token); + bool security_token_has_builtin_administrators(const struct security_token *token); bool security_token_has_nt_authenticated_users(const struct security_token *token); diff --git a/libcli/security/session.c b/libcli/security/session.c index 0c32556..0fbb87d 100644 --- a/libcli/security/session.c +++ b/libcli/security/session.c @@ -38,6 +38,10 @@ enum security_user_level security_session_user_level(struct auth_session_info *s return SECURITY_ANONYMOUS; } + if (security_token_has_builtin_guests(session_info->security_token)) { + return SECURITY_GUEST; + } + if (security_token_has_builtin_administrators(session_info->security_token)) { return SECURITY_ADMINISTRATOR; } diff --git a/libcli/security/session.h b/libcli/security/session.h index ee9187d..31e950e 100644 --- a/libcli/security/session.h +++ b/libcli/security/session.h @@ -24,6 +24,7 @@ enum security_user_level { SECURITY_ANONYMOUS = 0, + SECURITY_GUEST = 1, SECURITY_USER = 10, SECURITY_RO_DOMAIN_CONTROLLER = 20, SECURITY_DOMAIN_CONTROLLER = 30, diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c index 6a71766..4332374 100644 --- a/libcli/smb/smbXcli_base.c +++ b/libcli/smb/smbXcli_base.c @@ -167,6 +167,7 @@ struct smbXcli_session { struct { uint16_t session_id; + uint16_t action; DATA_BLOB application_key; bool protected_key; } smb1; @@ -5301,10 +5302,38 @@ struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx, return session; } +bool smbXcli_session_is_guest(struct smbXcli_session *session) +{ + if (session == NULL) { + return false; + } + + if (session->conn == NULL) { + return false; + } + + if (session->conn->protocol >= PROTOCOL_SMB2_02) { + if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) { + return true; + } + return false; + } + + if (session->smb1.action & SMB_SETUP_GUEST) { + return true; + } + + return false; +} + bool smbXcli_session_is_authenticated(struct smbXcli_session *session) { const DATA_BLOB *application_key; + if (session == NULL) { + return false; + } + if (session->conn == NULL) { return false; } @@ -5372,6 +5401,12 @@ void smb1cli_session_set_id(struct smbXcli_session *session, session->smb1.session_id = session_id; } +void smb1cli_session_set_action(struct smbXcli_session *session, + uint16_t action) +{ + session->smb1.action = action; +} + NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session, const DATA_BLOB _session_key) { diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h index ffccd7e..16c8848 100644 --- a/libcli/smb/smbXcli_base.h +++ b/libcli/smb/smbXcli_base.h @@ -390,6 +390,7 @@ struct smbXcli_session *smbXcli_session_create(TALLOC_CTX *mem_ctx, struct smbXcli_conn *conn); struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx, struct smbXcli_session *src); +bool smbXcli_session_is_guest(struct smbXcli_session *session); bool smbXcli_session_is_authenticated(struct smbXcli_session *session); NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session, TALLOC_CTX *mem_ctx, @@ -398,6 +399,8 @@ void smbXcli_session_set_disconnect_expired(struct smbXcli_session *session); uint16_t smb1cli_session_current_id(struct smbXcli_session* session); void smb1cli_session_set_id(struct smbXcli_session* session, uint16_t session_id); +void smb1cli_session_set_action(struct smbXcli_session *session, + uint16_t action); NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session, const DATA_BLOB _session_key); NTSTATUS smb1cli_session_protect_session_key(struct smbXcli_session *session); diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h index 57915d9..e03e843 100644 --- a/libcli/smb/smb_constants.h +++ b/libcli/smb/smb_constants.h @@ -278,6 +278,12 @@ enum smb_signing_setting { CAP_LARGE_WRITEX | \ 0) +/* + * The action flags in the SMB session setup response + */ +#define SMB_SETUP_GUEST 0x0001 +#define SMB_SETUP_USE_LANMAN_KEY 0x0002 + /* Client-side offline caching policy types */ enum csc_policy { CSC_POLICY_MANUAL=0, diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index 6ca1036..17a2bbe 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -200,6 +200,19 @@ sub mk_krb5_conf($$) forwardable = yes allow_weak_crypto = yes +"; + + if (defined($ctx->{supported_enctypes})) { + print KRB5CONF " + default_etypes = $ctx->{supported_enctypes} + default_as_etypes = $ctx->{supported_enctypes} + default_tgs_enctypes = $ctx->{supported_enctypes} + default_tkt_enctypes = $ctx->{supported_enctypes} + permitted_enctypes = $ctx->{supported_enctypes} +"; + } + + print KRB5CONF " -- Samba Shared Repository