The branch, v4-2-test has been updated
via 7f48c16 WHATSNEW: Last bugfix release.
via a107bcb WHATSNEW: Update release notes.
via ec6c73a s3:selftest: add smbclient_ntlm tests
via 53ce995 selftest:Samba4: let fl2000dc use Windows2000 style
SPNEGO/NTLMSSP
via ea33b55 selftest:Samba4: let fl2000dc use Windows2000
supported_enctypes
via f83d138 s3:test_smbclient_auth.sh: this script reqiures 5 arguments
via 89bc1eb selftest:Samba4: provide DC_* variables for fl2000dc and
fl2008r2dc
via 7f1596f auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego
option for testing
via e23df9d auth/spnego: add spnego:simulate_w2k option for testing
via 30f511f auth/ntlmssp: do map to guest checking after the
authentication
via 2ceed5d s3:smbd: only mark real guest sessions with the GUEST flag
via a2e3c76 s3:smbd: make use SMB_SETUP_GUEST constant
via 4b5e95a libcli/security: implement SECURITY_GUEST
via 5f10f25 s3:auth_builtin: anonymous authentication doesn't allow a
password
via 00f2691 s4:auth_anonymous: anonymous authentication doesn't allow a
password
via d7e9f09 auth/spnego: only try to verify the mechListMic if signing
was negotiated.
via 40c1d53 s3:libsmb: use anonymous authentication via spnego if
possible
via 0eebd68 s3:libsmb: don't finish the gensec handshake for guest
logins
via 163b9ac s3:libsmb: record the session setup action flags
via 5c18afa libcli/smb: add smbXcli_session_is_guest() helper function
via d84dde7 libcli/smb: add SMB1 session setup action flags
via 1b1ae2b libcli/smb: add smb1cli_session_set_action() helper function
via bba0194 libcli/smb: fix NULL pointer derreference in
smbXcli_session_is_authenticated().
via 8c6865d s3:libsmb: use password = NULL for anonymous connections
via abbb1ab auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections
via 9dc49c9 auth/ntlmssp: don't require any flags in the ccache_resume
code
via 26351cd auth/spnego: handle broken mechListMIC response from
Windows 2000
via 44ddc56 auth/spnego: change log level for 'Failed to setup SPNEGO
negTokenInit request: NT_STATUS_INTERNAL_ERROR'
via e17baf8 s3:librpc:crypto:gse: increase debug level for
gse_init_client().
via d82ec8a lib:krb5_wrap:krb5_samba: increase debug level for
smb_krb5_get_default_realm_from_ccache().
via 64df993 s3:libads/sasl: allow wrapped messages up to a size of
0xfffffff
via 2bebe80 s4:gensec_tstream: allow wrapped messages up to a size of
0xfffffff
from 65cdf7e WHATSNEW: Start release notes for Samba 4.2.12.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-test
- Log -----------------------------------------------------------------
commit 7f48c16a357ae27735f7853d1a08ecefcb7ab97b
Author: Karolin Seeger <[email protected]>
Date: Fri Apr 29 11:32:48 2016 +0200
WHATSNEW: Last bugfix release.
Signed-off-by: Karolin Seeger <[email protected]>
Autobuild-User(v4-2-test): Karolin Seeger <[email protected]>
Autobuild-Date(v4-2-test): Fri Apr 29 14:52:04 CEST 2016 on sn-devel-104
commit a107bcb42a0c02afbff6159a4bd7fe29706e0378
Author: Karolin Seeger <[email protected]>
Date: Fri Apr 29 11:15:16 2016 +0200
WHATSNEW: Update release notes.
Signed-off-by: Karolin Seeger <[email protected]>
commit ec6c73af975016b384ffbd54c5f34282050e20e3
Author: Stefan Metzmacher <[email protected]>
Date: Mon Apr 25 16:12:47 2016 +0200
s3:selftest: add smbclient_ntlm tests
We test all combinations of NT1 with and without spnego and SMB3
for user, anonymous and guest authentication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
Autobuild-User(master): Stefan Metzmacher <[email protected]>
Autobuild-Date(master): Thu Apr 28 20:16:45 CEST 2016 on sn-devel-144
(similar to commit eee88e07b3e68efb467b390536eea4155b5ced7e)
commit 53ce9957a4856a3d8be1d3071d95a83139ead75f
Author: Stefan Metzmacher <[email protected]>
Date: Mon Apr 25 16:02:22 2016 +0200
selftest:Samba4: let fl2000dc use Windows2000 style SPNEGO/NTLMSSP
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(similar to commit 4de43387235cb17a185fdd1afd658972e8c174ef)
commit ea33b55bf3eddd7f193fd24dd04ce31867be83ef
Author: Stefan Metzmacher <[email protected]>
Date: Wed Apr 27 01:00:14 2016 +0200
selftest:Samba4: let fl2000dc use Windows2000 supported_enctypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(similar to commit 587b5db7979c1ca1055f5bfd81ab79606cd3c2dd)
commit f83d13897f8de71729e7fae597a874dfef7b5831
Author: Stefan Metzmacher <[email protected]>
Date: Tue Apr 26 11:33:52 2016 +0200
s3:test_smbclient_auth.sh: this script reqiures 5 arguments
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit 70910334caa176bf98fece7d638ed599979dc173)
commit 89bc1eb369c6ad36d7605ed328fe91f40ce659a7
Author: Stefan Metzmacher <[email protected]>
Date: Tue Apr 26 08:50:00 2016 +0200
selftest:Samba4: provide DC_* variables for fl2000dc and fl2008r2dc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit b8055cb42cadf48367867213a35635f3391c9b8d)
commit 7f1596f083d4b630f39714d21e2b01b7adf79bf8
Author: Stefan Metzmacher <[email protected]>
Date: Mon Apr 25 15:58:27 2016 +0200
auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for
testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit 7a2cb2c97611171613fc677a534277839348c56f)
commit e23df9d6e3dd1ee338ffb618d5ad059996249d55
Author: Stefan Metzmacher <[email protected]>
Date: Mon Apr 25 14:45:55 2016 +0200
auth/spnego: add spnego:simulate_w2k option for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit db9c01a51975a0a3ec2564357617958c2f466091)
commit 30f511f9c6731c58cde5db22753c9a06b65dd3ee
Author: Stefan Metzmacher <[email protected]>
Date: Wed Apr 20 18:27:34 2016 +0200
auth/ntlmssp: do map to guest checking after the authentication
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit d667520568996471b55007a42b503edbabb1eee0)
commit 2ceed5d946276c388e96ce278df50663855570b9
Author: Stefan Metzmacher <[email protected]>
Date: Wed Apr 20 16:34:28 2016 +0200
s3:smbd: only mark real guest sessions with the GUEST flag
Real anonymous sessions don't get it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(similar to commit 79a71545bfc87525c6ba6c8fe9fa7d8a9da33441)
commit a2e3c76601b8408ea0afcf26bd6fd694314fafe5
Author: Stefan Metzmacher <[email protected]>
Date: Mon Apr 18 17:36:56 2016 +0200
s3:smbd: make use SMB_SETUP_GUEST constant
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit 25ce97892ad3ce5028e4dbbbdd844ef6619ac396)
commit 4b5e95a9894b8c5bf2a7243ba4f3190a2f5cc5d2
Author: Stefan Metzmacher <[email protected]>
Date: Wed Apr 20 16:29:42 2016 +0200
libcli/security: implement SECURITY_GUEST
SECURITY_GUEST is not exactly the same as SECURITY_ANONYMOUS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit 837e6176329330893d5a1e4ce4ac67dbac758e56)
commit 5f10f25f8e384da8fc89183216ba7a171ff88d28
Author: Stefan Metzmacher <[email protected]>
Date: Wed Apr 27 01:48:32 2016 +0200
s3:auth_builtin: anonymous authentication doesn't allow a password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit ead483b0c0ec746c0869162024c97f2e08df7f4b)
commit 00f2691e1af2b71fab96c538de87401e78e91ca0
Author: Stefan Metzmacher <[email protected]>
Date: Wed Apr 27 01:44:56 2016 +0200
s4:auth_anonymous: anonymous authentication doesn't allow a password
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit d247dceaaab24b568425f2360e40f5e91be452cc)
commit d7e9f094056b6aac302fd74977f23bfb84087294
Author: Stefan Metzmacher <[email protected]>
Date: Fri Apr 22 10:04:38 2016 +0200
auth/spnego: only try to verify the mechListMic if signing was negotiated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit 65462958522baee6eedcedd4193cfcc8cf0f510e)
commit 40c1d53a983f943798f6f689eeeca18d7751fa63
Author: Stefan Metzmacher <[email protected]>
Date: Tue Apr 19 07:33:03 2016 +0200
s3:libsmb: use anonymous authentication via spnego if possible
This makes the authentication consistent between
SMB1 with CAP_EXTENDED_SECURITY (introduced in Windows 2000)
and SNB2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit e72ad193a53e20b769f798d02c0610f91859bd38)
commit 0eebd689c51bddc140b0c00fb10242bace07de2d
Author: Stefan Metzmacher <[email protected]>
Date: Tue Apr 19 07:20:28 2016 +0200
s3:libsmb: don't finish the gensec handshake for guest logins
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit fa5799207e55ee8e329f36f784d027845eaf0e34)
commit 163b9acaab45405d5bdeb8e88075ca3815b69843
Author: Stefan Metzmacher <[email protected]>
Date: Tue Apr 19 07:19:19 2016 +0200
s3:libsmb: record the session setup action flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit 02c902103521e5a2b1d221db83e6c59d0ce31099)
commit 5c18afaf9ab97ba1649442753f99b03355e9aedd
Author: Stefan Metzmacher <[email protected]>
Date: Mon Apr 18 17:38:46 2016 +0200
libcli/smb: add smbXcli_session_is_guest() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit 8f4a4bec089b46bbeb0e0f37bb682acb88702bf2)
commit d84dde7e4d723c0ff21d732893b434925b8ccfd9
Author: Stefan Metzmacher <[email protected]>
Date: Mon Apr 18 17:34:21 2016 +0200
libcli/smb: add SMB1 session setup action flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit cceaa61cf064926baca6db4b303d34ea90d40d52)
commit 1b1ae2b8462fa2415a1f87ca0d36162d6c92aeb3
Author: Stefan Metzmacher <[email protected]>
Date: Mon Apr 18 17:33:11 2016 +0200
libcli/smb: add smb1cli_session_set_action() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit e6f9e176f2bb0e3e7451ac58e84ff55328219fcd)
commit bba0194a75e4be99e9b31cf78b87a29d4ffa7143
Author: Günther Deschner <[email protected]>
Date: Wed Apr 20 20:09:53 2016 +0200
libcli/smb: fix NULL pointer derreference in
smbXcli_session_is_authenticated().
Guenther
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 8e016ffeb01167bb8dec66cf9e4bc8605461c15a)
commit 8c6865da5a96327737d219b11363a9db217909c2
Author: Stefan Metzmacher <[email protected]>
Date: Tue Apr 19 07:31:50 2016 +0200
s3:libsmb: use password = NULL for anonymous connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11858
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit 53be47410236ef7c90fe895f49f300e3fe47a8bf)
commit abbb1ab296b6f891bd73ea95ddab02da0b7ec79b
Author: Stefan Metzmacher <[email protected]>
Date: Wed Apr 20 18:44:21 2016 +0200
auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections
Enforcement of SMB signing is done at the SMB layer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit d97b347d041f9b5c0aa71f35526cbefd56f3500b)
commit 9dc49c9d3322da89d2de208a2472604c49b3ada1
Author: Stefan Metzmacher <[email protected]>
Date: Wed Apr 20 18:44:21 2016 +0200
auth/ntlmssp: don't require any flags in the ccache_resume code
ntlmssp_client_challenge() already checks for required flags
before asking winbindd.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit 5041adb6657596399049a33e6a739a040b4df0db)
commit 26351cd1e90a113f722b6b12796edc9bf46c03d4
Author: Stefan Metzmacher <[email protected]>
Date: Sat Apr 23 05:17:25 2016 +0200
auth/spnego: handle broken mechListMIC response from Windows 2000
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11870
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit 032c2733dea834e2c95178cdd0deb73e7bb13621)
commit 44ddc5642355164ab7d29f04555a9c1469f2800b
Author: Stefan Metzmacher <[email protected]>
Date: Thu Apr 28 12:26:16 2016 +0200
auth/spnego: change log level for 'Failed to setup SPNEGO negTokenInit
request: NT_STATUS_INTERNAL_ERROR'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit 9930bd17f2d39e4be1e125f83f7de489a94ea1d1)
commit e17baf8fddd3af3213c1191a480315227fcf4f6a
Author: Günther Deschner <[email protected]>
Date: Thu Apr 28 12:58:33 2016 +0200
s3:librpc:crypto:gse: increase debug level for gse_init_client().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Guenther
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit b6595037f3fcaafb957d9c08edfb89c72cded987)
commit d82ec8afb793c978f32b34ab3e230769d419a158
Author: Günther Deschner <[email protected]>
Date: Thu Apr 28 12:58:10 2016 +0200
lib:krb5_wrap:krb5_samba: increase debug level for
smb_krb5_get_default_realm_from_ccache().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Guenther
Signed-off-by: Guenther Deschner <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
(cherry picked from commit 95b8b020626ba58a77a21e3da804bac2f0cf90b1)
commit 64df993e6c5856c57e4add19e8d44f6c27a898f8
Author: Stefan Metzmacher <[email protected]>
Date: Fri Apr 22 16:31:55 2016 +0200
s3:libads/sasl: allow wrapped messages up to a size of 0xfffffff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit 795e796658e6da0149c9c00ece7cca4ccc457717)
commit 2bebe8012f711c633bcc6d7d706ad242fdc9544e
Author: Stefan Metzmacher <[email protected]>
Date: Fri Apr 22 16:18:24 2016 +0200
s4:gensec_tstream: allow wrapped messages up to a size of 0xfffffff
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11872
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Günther Deschner <[email protected]>
(cherry picked from commit 8704958fb3b212b401a8e7d94fdd9c627adbde0d)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 15 ++++-
auth/gensec/spnego.c | 66 +++++++++++++++++----
auth/ntlmssp/gensec_ntlmssp_server.c | 15 ++---
auth/ntlmssp/ntlmssp_client.c | 15 ++---
auth/ntlmssp/ntlmssp_server.c | 40 +++++++++++++
lib/krb5_wrap/krb5_samba.c | 4 +-
libcli/security/security_token.c | 5 ++
libcli/security/security_token.h | 2 +
libcli/security/session.c | 4 ++
libcli/security/session.h | 1 +
libcli/smb/smbXcli_base.c | 35 +++++++++++
libcli/smb/smbXcli_base.h | 3 +
libcli/smb/smb_constants.h | 6 ++
selftest/target/Samba.pm | 13 ++++
selftest/target/Samba4.pm | 23 +++++++-
source3/auth/auth_builtin.c | 47 ++++++++++++---
source3/libads/sasl.c | 4 +-
source3/librpc/crypto/gse.c | 2 +-
source3/libsmb/cliconnect.c | 92 +++++++++++++++++++++--------
source3/script/tests/test_smbclient_auth.sh | 2 +-
source3/script/tests/test_smbclient_ntlm.sh | 40 +++++++++++++
source3/selftest/tests.py | 4 +-
source3/smbd/sesssetup.c | 12 ++--
source3/smbd/smb2_sesssetup.c | 7 ++-
source4/auth/gensec/gensec_tstream.c | 6 +-
source4/auth/ntlm/auth_anonymous.c | 30 ++++++++++
26 files changed, 413 insertions(+), 80 deletions(-)
create mode 100755 source3/script/tests/test_smbclient_ntlm.sh
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a7b553b..2b764fb 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -4,7 +4,12 @@
==============================
-This is the latest stable release of Samba 4.2.
+This is the last bugfix release of Samba 4.2. Please note that there will
+be security releases only beyond this point!
+
+This release fixes some regressions introduced by the last security fixes.
+Please see bug https://bugzilla.samba.org/show_bug.cgi?id=11849 for a list of
+bugs addressing these regressions and more information.
Changes since 4.2.11:
@@ -58,6 +63,14 @@ o Stefan Metzmacher <[email protected]>
* BUG 11742: tevent: version 0.9.28. Fix memory leak when old signal action
restored.
* BUG 11789: s3:wscript: pylibsmb depends on pycredentials.
+ * BUG 11841: Fix NT_STATUS_ACCESS_DENIED when accessing Windows public
share.
+ * BUG 11847: Only validate MIC if "map to guest" is not being used.
+ * BUG 11849: auth/ntlmssp: Add ntlmssp_{client,server}:force_old_spnego
+ option for testing.
+ * BUG 11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN.
+ * BUG 11858: Allow anonymous smb connections.
+ * BUG 11870: Fix ads_sasl_spnego_gensec_bind(KRB5).
+ * BUG 11872: Fix 'wbinfo -u' and 'net ads search'.
o Jose A. Rivera <[email protected]>
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 1d4b172..6a82b5f 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -59,6 +59,8 @@ struct spnego_state {
bool needs_mic_check;
bool done_mic_check;
+ bool simulate_w2k;
+
/*
* The following is used to implement
* the update token fragmentation
@@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct
gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k =
gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k",
false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct
gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k =
gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k",
false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -661,7 +669,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct
gensec_security *gensec
talloc_free(spnego_state->sub_sec_security);
spnego_state->sub_sec_security = NULL;
- DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n",
nt_errstr(nt_status)));
+ DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n",
nt_errstr(nt_status)));
return nt_status;
}
@@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
spnego.negTokenInit.mechToken,
&unwrapped_out);
+ if (spnego_state->simulate_w2k) {
+ /*
+ * Windows 2000 returns the unwrapped token
+ * also in the mech_list_mic field.
+ *
+ * In order to verify our client code,
+ * we need a way to have a server with this
+ * broken behaviour
+ */
+ mech_list_mic = unwrapped_out;
+ }
+
nt_status =
gensec_spnego_server_negTokenTarg(spnego_state,
out_mem_ctx,
nt_status,
unwrapped_out,
-
null_data_blob,
+
mech_list_mic,
out);
spnego_free_data(&spnego);
@@ -885,6 +905,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security
*gensec_security, TA
case SPNEGO_SERVER_TARG:
{
NTSTATUS nt_status;
+ bool have_sign = true;
bool new_spnego = false;
if (!in.length) {
@@ -947,18 +968,23 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
goto server_response;
}
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
if (spnego.negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) {
nt_status =
gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
@@ -1078,6 +1104,24 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
}
if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC;
+ const DATA_BLOB *r = &spnego.negTokenTarg.responseToken;
+
+ /*
+ * Windows 2000 has a bug, it repeats the
+ * responseToken in the mechListMIC field.
+ */
+ if (m->length == r->length) {
+ int cmp;
+
+ cmp = memcmp(m->data, r->data, m->length);
+ if (cmp == 0) {
+ data_blob_free(m);
+ }
+ }
+ }
+
+ if (spnego.negTokenTarg.mechListMIC.length > 0) {
if (spnego_state->no_response_expected) {
spnego_state->needs_mic_check = true;
}
@@ -1124,8 +1168,14 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
if (spnego_state->no_response_expected &&
!spnego_state->done_mic_check)
{
+ bool have_sign = true;
bool new_spnego = false;
+ have_sign =
gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego =
gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
@@ -1152,16 +1202,12 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
}
if (spnego_state->mic_requested) {
- bool sign;
-
- sign =
gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_SIGN);
- if (sign) {
+ if (have_sign) {
new_spnego = true;
}
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c
b/auth/ntlmssp/gensec_ntlmssp_server.c
index 6147b14..08a8c8f 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -130,20 +130,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct
gensec_security *gensec_security)
ntlmssp_state->allow_lm_key = true;
}
- if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) !=
NEVER_MAP_TO_GUEST) {
- /*
- * map to guest is not secure anyway, so
- * try to make it work and don't try to
- * negotiate new_spnego and MIC checking
- */
- ntlmssp_state->force_old_spnego = true;
- }
+ ntlmssp_state->force_old_spnego = false;
- if (role == ROLE_ACTIVE_DIRECTORY_DC) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server",
"force_old_spnego", false)) {
/*
- * map to guest is not supported on an AD DC.
+ * For testing Windows 2000 mode
*/
- ntlmssp_state->force_old_spnego = false;
+ ntlmssp_state->force_old_spnego = true;
}
ntlmssp_state->neg_flags =
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index b419615..5edd5f4 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct
gensec_security *gensec_security,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
gensec_security->want_features |= GENSEC_FEATURE_SIGN;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
gensec_security->want_features |= GENSEC_FEATURE_SEAL;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
- ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
+ ntlmssp_state->required_flags = 0;
if (DEBUGLEVEL >= 10) {
struct NEGOTIATE_MESSAGE *negotiate = talloc(
@@ -789,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security
*gensec_security)
ntlmssp_state->use_ntlmv2 =
lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
+ ntlmssp_state->force_old_spnego =
gensec_setting_bool(gensec_security->settings,
+ "ntlmssp_client",
"force_old_spnego", false);
+
ntlmssp_state->expected_state = NTLMSSP_INITIAL;
ntlmssp_state->neg_flags =
@@ -848,8 +846,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct
gensec_security *gensec_security)
* Without this, Windows will not create the master key
* that it thinks is only used for NTLMSSP signing and
* sealing. (It is actually pulled out and used directly)
+ *
+ * We don't require this here as some servers (e.g. NetAPP)
+ * doesn't support this.
*/
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 9549641..3f13ccb 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -31,6 +31,9 @@
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
#include "auth/common_auth.h"
+#include "param/param.h"
+#include "param/loadparm.h"
+#include "libcli/security/session.h"
/**
* Determine correct target name flags for reply, given server role
@@ -698,6 +701,7 @@ static NTSTATUS ntlmssp_server_check_password(struct
gensec_security *gensec_sec
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
struct auth4_context *auth_context = gensec_security->auth_context;
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
+ struct auth_session_info *session_info = NULL;
struct auth_usersupplied_info *user_info;
user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
@@ -734,6 +738,42 @@ static NTSTATUS ntlmssp_server_check_password(struct
gensec_security *gensec_sec
NT_STATUS_NOT_OK_RETURN(nt_status);
+ if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) !=
NEVER_MAP_TO_GUEST
+ && auth_context->generate_session_info != NULL)
+ {
+ NTSTATUS tmp_status;
+
+ /*
+ * We need to check if the auth is anonymous or mapped to guest
+ */
+ tmp_status = auth_context->generate_session_info(auth_context,
mem_ctx,
+
gensec_ntlmssp->server_returned_info,
+
gensec_ntlmssp->ntlmssp_state->user,
+
AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
+ &session_info);
+ if (!NT_STATUS_IS_OK(tmp_status)) {
+ /*
+ * We don't care about failures,
+ * the worst result is that we try MIC checking
+ * for a map to guest authentication.
+ */
+ TALLOC_FREE(session_info);
+ }
+ }
+
+ if (session_info != NULL) {
+ if (security_session_user_level(session_info, NULL) <
SECURITY_USER) {
+ /*
+ * Anonymous and GUEST are not secure anyway.
+ * avoid new_spnego and MIC checking.
+ */
+ ntlmssp_state->new_spnego = false;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+ }
+ TALLOC_FREE(session_info);
+ }
+
talloc_steal(mem_ctx, user_session_key->data);
talloc_steal(mem_ctx, lm_session_key->data);
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 5f0378b..c066c1d 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2388,12 +2388,12 @@ static char
*smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
"Trying to read krb5 cache: %s\n",
krb5_cc_default_name(ctx)));
if (krb5_cc_default(ctx, &cc)) {
- DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+ DEBUG(5,("kerberos_get_default_realm_from_ccache: "
"failed to read default cache\n"));
goto out;
}
if (krb5_cc_get_principal(ctx, cc, &princ)) {
- DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+ DEBUG(5,("kerberos_get_default_realm_from_ccache: "
"failed to get default principal\n"));
goto out;
}
diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c
index 6812d42..2e5a87b 100644
--- a/libcli/security/security_token.c
+++ b/libcli/security/security_token.c
@@ -130,6 +130,11 @@ bool security_token_has_sid_string(const struct
security_token *token, const cha
return ret;
}
+bool security_token_has_builtin_guests(const struct security_token *token)
+{
+ return security_token_has_sid(token, &global_sid_Builtin_Guests);
+}
+
bool security_token_has_builtin_administrators(const struct security_token
*token)
{
return security_token_has_sid(token,
&global_sid_Builtin_Administrators);
diff --git a/libcli/security/security_token.h b/libcli/security/security_token.h
index b8ca990..5c5b30b 100644
--- a/libcli/security/security_token.h
+++ b/libcli/security/security_token.h
@@ -51,6 +51,8 @@ bool security_token_has_sid(const struct security_token
*token, const struct dom
bool security_token_has_sid_string(const struct security_token *token, const
char *sid_string);
+bool security_token_has_builtin_guests(const struct security_token *token);
+
bool security_token_has_builtin_administrators(const struct security_token
*token);
bool security_token_has_nt_authenticated_users(const struct security_token
*token);
diff --git a/libcli/security/session.c b/libcli/security/session.c
index 0c32556..0fbb87d 100644
--- a/libcli/security/session.c
+++ b/libcli/security/session.c
@@ -38,6 +38,10 @@ enum security_user_level security_session_user_level(struct
auth_session_info *s
return SECURITY_ANONYMOUS;
}
+ if (security_token_has_builtin_guests(session_info->security_token)) {
+ return SECURITY_GUEST;
+ }
+
if
(security_token_has_builtin_administrators(session_info->security_token)) {
return SECURITY_ADMINISTRATOR;
}
diff --git a/libcli/security/session.h b/libcli/security/session.h
index ee9187d..31e950e 100644
--- a/libcli/security/session.h
+++ b/libcli/security/session.h
@@ -24,6 +24,7 @@
enum security_user_level {
SECURITY_ANONYMOUS = 0,
+ SECURITY_GUEST = 1,
SECURITY_USER = 10,
SECURITY_RO_DOMAIN_CONTROLLER = 20,
SECURITY_DOMAIN_CONTROLLER = 30,
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 7bf48c8..b07fdad 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -152,6 +152,7 @@ struct smbXcli_session {
struct {
uint16_t session_id;
+ uint16_t action;
DATA_BLOB application_key;
bool protected_key;
} smb1;
@@ -4941,10 +4942,38 @@ struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX
*mem_ctx,
return session;
}
+bool smbXcli_session_is_guest(struct smbXcli_session *session)
+{
+ if (session == NULL) {
+ return false;
+ }
+
+ if (session->conn == NULL) {
+ return false;
+ }
+
+ if (session->conn->protocol >= PROTOCOL_SMB2_02) {
+ if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) {
+ return true;
+ }
+ return false;
+ }
+
+ if (session->smb1.action & SMB_SETUP_GUEST) {
+ return true;
+ }
+
+ return false;
+}
+
bool smbXcli_session_is_authenticated(struct smbXcli_session *session)
{
const DATA_BLOB *application_key;
+ if (session == NULL) {
+ return false;
+ }
+
if (session->conn == NULL) {
return false;
}
@@ -5012,6 +5041,12 @@ void smb1cli_session_set_id(struct smbXcli_session
*session,
session->smb1.session_id = session_id;
}
+void smb1cli_session_set_action(struct smbXcli_session *session,
+ uint16_t action)
+{
+ session->smb1.action = action;
+}
+
NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session,
const DATA_BLOB _session_key)
{
diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
index 9a957e2..50466b1 100644
--- a/libcli/smb/smbXcli_base.h
+++ b/libcli/smb/smbXcli_base.h
@@ -371,6 +371,7 @@ struct smbXcli_session *smbXcli_session_create(TALLOC_CTX
*mem_ctx,
struct smbXcli_conn *conn);
struct smbXcli_session *smbXcli_session_copy(TALLOC_CTX *mem_ctx,
struct smbXcli_session *src);
+bool smbXcli_session_is_guest(struct smbXcli_session *session);
bool smbXcli_session_is_authenticated(struct smbXcli_session *session);
NTSTATUS smbXcli_session_application_key(struct smbXcli_session *session,
TALLOC_CTX *mem_ctx,
@@ -379,6 +380,8 @@ void smbXcli_session_set_disconnect_expired(struct
smbXcli_session *session);
uint16_t smb1cli_session_current_id(struct smbXcli_session* session);
void smb1cli_session_set_id(struct smbXcli_session* session,
uint16_t session_id);
+void smb1cli_session_set_action(struct smbXcli_session *session,
+ uint16_t action);
NTSTATUS smb1cli_session_set_session_key(struct smbXcli_session *session,
const DATA_BLOB _session_key);
NTSTATUS smb1cli_session_protect_session_key(struct smbXcli_session *session);
diff --git a/libcli/smb/smb_constants.h b/libcli/smb/smb_constants.h
index 9b1de50..c7a49ab 100644
--- a/libcli/smb/smb_constants.h
+++ b/libcli/smb/smb_constants.h
@@ -276,6 +276,12 @@ enum smb_signing_setting {
--
Samba Shared Repository
