The branch, v4-2-stable has been updated
via e4e16a1 VERSION: Disable git snapshots for the 4.2.12 release.
via 4ce9415 WHATSNEW: Add release date.
via 7f48c16 WHATSNEW: Last bugfix release.
via a107bcb WHATSNEW: Update release notes.
via ec6c73a s3:selftest: add smbclient_ntlm tests
via 53ce995 selftest:Samba4: let fl2000dc use Windows2000 style
SPNEGO/NTLMSSP
via ea33b55 selftest:Samba4: let fl2000dc use Windows2000
supported_enctypes
via f83d138 s3:test_smbclient_auth.sh: this script reqiures 5 arguments
via 89bc1eb selftest:Samba4: provide DC_* variables for fl2000dc and
fl2008r2dc
via 7f1596f auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego
option for testing
via e23df9d auth/spnego: add spnego:simulate_w2k option for testing
via 30f511f auth/ntlmssp: do map to guest checking after the
authentication
via 2ceed5d s3:smbd: only mark real guest sessions with the GUEST flag
via a2e3c76 s3:smbd: make use SMB_SETUP_GUEST constant
via 4b5e95a libcli/security: implement SECURITY_GUEST
via 5f10f25 s3:auth_builtin: anonymous authentication doesn't allow a
password
via 00f2691 s4:auth_anonymous: anonymous authentication doesn't allow a
password
via d7e9f09 auth/spnego: only try to verify the mechListMic if signing
was negotiated.
via 40c1d53 s3:libsmb: use anonymous authentication via spnego if
possible
via 0eebd68 s3:libsmb: don't finish the gensec handshake for guest
logins
via 163b9ac s3:libsmb: record the session setup action flags
via 5c18afa libcli/smb: add smbXcli_session_is_guest() helper function
via d84dde7 libcli/smb: add SMB1 session setup action flags
via 1b1ae2b libcli/smb: add smb1cli_session_set_action() helper function
via bba0194 libcli/smb: fix NULL pointer derreference in
smbXcli_session_is_authenticated().
via 8c6865d s3:libsmb: use password = NULL for anonymous connections
via abbb1ab auth/ntlmssp: don't require NTLMSSP_SIGN for smb connections
via 9dc49c9 auth/ntlmssp: don't require any flags in the ccache_resume
code
via 26351cd auth/spnego: handle broken mechListMIC response from
Windows 2000
via 44ddc56 auth/spnego: change log level for 'Failed to setup SPNEGO
negTokenInit request: NT_STATUS_INTERNAL_ERROR'
via e17baf8 s3:librpc:crypto:gse: increase debug level for
gse_init_client().
via d82ec8a lib:krb5_wrap:krb5_samba: increase debug level for
smb_krb5_get_default_realm_from_ccache().
via 64df993 s3:libads/sasl: allow wrapped messages up to a size of
0xfffffff
via 2bebe80 s4:gensec_tstream: allow wrapped messages up to a size of
0xfffffff
via 65cdf7e WHATSNEW: Start release notes for Samba 4.2.12.
via e3a7138 configure: Don't check for inotify on illumos
via e16c8ed nwrap: Fix the build on Solaris
via aec25b0 libads: record session expiry for spnego sasl binds
via 9729bdc build: mark explicit dependencies on pytalloc-util
via e29becc s3:wscript: pylibsmb depends on pycredentials
via 452d393 libsmb/pysmb: add pytalloc-util dependency to fix the build.
via cb827b7 pydsdb: Fix returning of ldb.MessageElement.
via 513b5d7 pydsdb: Also accept ldb.MessageElement values to dsdb
routines
via 75f26e3 vfs_catia: Fix bug 11827, memleak
via b7e46c1 tevent: version 0.9.28
via a8fb85f lib: tevent: Fix memory leak reported by Pavel Březina
<[email protected]> when old signal action restored.
via 331383c tevent: version 0.9.27
via c496c85 Fix ETIME handling for Solaris event ports.
via a10d492 tevent: Only set public headers field when installing as a
public library.
via 0345678 Simplify handling of dependencies on external libraries in
test_headers.
via 06a87da lib: tevent: Whitespace cleanup.
via 1ca26ea lib: tevent: Fix bug in poll backend -
poll_event_loop_poll()
via 316ce07 tevent: version 0.9.26
via 78f5f86 lib: tevent: docs: Add tutorial on thread usage.
via b88f6e9 lib: tevent: tests: Add a second thread test that does
request/reply.
via a050245 lib: tevent: Initial test of tevent threaded context code.
via 46d3bb7 lib: tevent: Initial checkin of threaded tevent context
calling code.
via 4882bde VERSION: Bump version up to 4.2.12
via 47f3a1f Merge tag 'samba-4.2.11' into v4-2-test
via 0dd1749 smbd: Only check dev/inode in open_directory, not the full
stat()
via ffccce5 s3:smbd: add negprot remote arch detection for OSX
via bd11d39 s3:smbd: rework negprot remote arch detection
via 0108e51 VERSION: Bump version up to 4.2.10...
via a93f708 Merge tag 'samba-4.2.9' into v4-2-test
via fe4a09d Real memeory leak(buildup) issue in loadparm.
via 995f757 docs: Add example for domain logins to smbspool man page.
via cb0d8e1 ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped
..."
via d0ba284 lib/tsocket: workaround sockets not supporting FIONREAD
via 7f8cbd8 param: Fix str_list_v3 to accept ; again
via 6ff4dd7 loadparm: Fix memory leak issue.
via bf29f7d s3: smbd: posix_acls: Fix check for setting u:g:o entry on
a filesystem with no ACL support.
via bd140e6 s3:smbd:open: Skip redundant call to file_set_dosmode when
creating a new file.
via 3435f30 docs-xml: fix typo in smbspool_krb5_wrapper manpage.
via d0697c5 docs: Add smbspool_krb5_wrapper manpage
via b065b1e s3: smbd: Fix timestamp rounding inside SMB2 create.
via 7205d15 s3:utils/smbget fix recursive download
via da8f785 waf: Only build smb_krb5_wrapper if we have CUPS
via 542cbdf s3-client: Add a KRB5 wrapper for smbspool
via de7ad5d VERSION: Bump version up to 4.2.9...
from cdf4f21 VERSION: Disable git snapshots for the 4.2.11 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 140 +++++++-
auth/gensec/spnego.c | 66 +++-
auth/ntlmssp/gensec_ntlmssp_server.c | 15 +-
auth/ntlmssp/ntlmssp_client.c | 15 +-
auth/ntlmssp/ntlmssp_server.c | 40 +++
ctdb/config/events.d/11.natgw | 4 -
ctdb/config/events.d/49.winbind | 7 -
docs-xml/manpages/smbspool.8.xml | 5 +
docs-xml/manpages/smbspool_krb5_wrapper.8.xml | 64 ++++
docs-xml/wscript_build | 1 +
lib/krb5_wrap/krb5_samba.c | 4 +-
lib/nss_wrapper/wscript | 2 +-
.../ABI/{tevent-0.9.24.sigs => tevent-0.9.26.sigs} | 2 +
.../ABI/{tevent-0.9.24.sigs => tevent-0.9.27.sigs} | 2 +
.../ABI/{tevent-0.9.24.sigs => tevent-0.9.28.sigs} | 2 +
lib/tevent/doc/tevent_thread.dox | 322 ++++++++++++++++++
lib/tevent/doc/tevent_tutorial.dox | 2 +
lib/tevent/testsuite.c | 330 ++++++++++++++++++
lib/tevent/tevent.h | 52 +++
lib/tevent/tevent_epoll.c | 6 +-
lib/tevent/tevent_poll.c | 5 +-
lib/tevent/tevent_port.c | 22 +-
lib/tevent/tevent_signal.c | 4 +
lib/tevent/tevent_threads.c | 370 +++++++++++++++++++++
lib/tevent/wscript | 6 +-
lib/tsocket/tsocket_bsd.c | 62 +++-
lib/util/util_strlist.c | 18 +-
libcli/security/security_token.c | 5 +
libcli/security/security_token.h | 2 +
libcli/security/session.c | 4 +
libcli/security/session.h | 1 +
libcli/smb/smbXcli_base.c | 35 ++
libcli/smb/smbXcli_base.h | 3 +
libcli/smb/smb_constants.h | 7 +-
python/samba/dbchecker.py | 4 +-
selftest/target/Samba.pm | 13 +
selftest/target/Samba4.pm | 23 +-
source3/auth/auth_builtin.c | 47 ++-
source3/client/README.smbspool | 17 +
source3/client/smbspool_krb5_wrapper.c | 210 ++++++++++++
source3/libads/sasl.c | 13 +-
source3/librpc/crypto/gse.c | 2 +-
source3/libsmb/cliconnect.c | 92 +++--
source3/modules/vfs_catia.c | 6 +-
source3/param/loadparm.c | 40 ++-
source3/passdb/wscript_build | 2 +-
source3/script/tests/test_smbclient_auth.sh | 2 +-
source3/script/tests/test_smbclient_ntlm.sh | 40 +++
source3/selftest/tests.py | 4 +-
source3/smbd/negprot.c | 152 +++++----
source3/smbd/open.c | 18 +-
source3/smbd/posix_acls.c | 39 ++-
source3/smbd/sesssetup.c | 12 +-
source3/smbd/smb2_create.c | 8 +
source3/smbd/smb2_negprot.c | 9 +-
source3/smbd/smb2_sesssetup.c | 7 +-
source3/utils/smbget.c | 15 +-
source3/wscript | 11 +-
source3/wscript_build | 12 +-
source4/auth/gensec/gensec_tstream.c | 6 +-
source4/auth/ntlm/auth_anonymous.c | 30 ++
source4/dsdb/pydsdb.c | 162 +++++----
source4/lib/messaging/wscript_build | 2 +-
source4/libcli/wscript_build | 2 +-
source4/libnet/wscript_build | 2 +-
source4/ntvfs/sysdep/wscript_configure | 13 +-
source4/param/wscript_build | 2 +-
testsuite/headers/wscript_build | 13 +-
69 files changed, 2373 insertions(+), 284 deletions(-)
create mode 100644 docs-xml/manpages/smbspool_krb5_wrapper.8.xml
copy lib/tevent/ABI/{tevent-0.9.24.sigs => tevent-0.9.26.sigs} (97%)
copy lib/tevent/ABI/{tevent-0.9.24.sigs => tevent-0.9.27.sigs} (97%)
copy lib/tevent/ABI/{tevent-0.9.24.sigs => tevent-0.9.28.sigs} (97%)
create mode 100644 lib/tevent/doc/tevent_thread.dox
create mode 100644 lib/tevent/tevent_threads.c
create mode 100644 source3/client/README.smbspool
create mode 100644 source3/client/smbspool_krb5_wrapper.c
create mode 100755 source3/script/tests/test_smbclient_ntlm.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index ce2ca71..9c39699 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=2
-SAMBA_VERSION_RELEASE=11
+SAMBA_VERSION_RELEASE=12
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index ecb5fe6..8b3fcc8 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,134 @@
==============================
+ Release Notes for Samba 4.2.12
+ May 02, 2016
+ ==============================
+
+
+This is the last bugfix release of Samba 4.2. Please note that there will
+be security releases only beyond this point!
+
+This release fixes some regressions introduced by the last security fixes.
+Please see bug https://bugzilla.samba.org/show_bug.cgi?id=11849 for a list of
+bugs addressing these regressions and more information.
+
+
+Changes since 4.2.11:
+---------------------
+
+o Jeremy Allison <[email protected]>
+ * BUG 10489: s3: smbd: posix_acls: Fix check for setting u:g:o entry on a
+ filesystem with no ACL support.
+ * BUG 11703: s3: smbd: Fix timestamp rounding inside SMB2 create.
+ * BUG 11742: lib: tevent: Fix memory leak when old signal action restored.
+ * BUG 11771: lib: tevent: Fix memory leak when old signal action restored.
+
+
+o Christian Ambach <[email protected]>
+ * BUG 6482: s3:utils/smbget: Fix recursive download.
+
+
+o Andrew Bartlett <[email protected]>
+ * BUG 11780: smbd: Only check dev/inode in open_directory, not the full
+ stat().
+ * BUG 11789: build: Mark explicit dependencies on pytalloc-util.
+
+
+o Ralph Boehme <[email protected]>
+ * BUG 11714: lib/tsocket: Work around sockets not supporting FIONREAD.
+
+
+o Günther Deschner <[email protected]>
+ * BUG 11789: libsmb/pysmb: add pytalloc-util dependency to fix the build.
+
+
+o Berend De Schouwer <[email protected]>
+ * BUG 11643: docs: Add example for domain logins to smbspool man page.
+
+
+o Nathan Huff <[email protected]>
+ * BUG 11771: Fix ETIME handling for Solaris event ports.
+
+
+o Volker Lendecke <[email protected]>
+ * BUG 11732: param: Fix str_list_v3 to accept ";" again.
+ * BUG 11816: nwrap: Fix the build on Solaris.
+ * BUG 11827: Fix memleak.
+
+
+o Justin Maggard <[email protected]>
+ * BUG 11773: s3:smbd: Add negprot remote arch detection for OSX.
+
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 11742: tevent: version 0.9.28. Fix memory leak when old signal action
+ restored.
+ * BUG 11789: s3:wscript: pylibsmb depends on pycredentials.
+ * BUG 11841: Fix NT_STATUS_ACCESS_DENIED when accessing Windows public
share.
+ * BUG 11847: Only validate MIC if "map to guest" is not being used.
+ * BUG 11849: auth/ntlmssp: Add ntlmssp_{client,server}:force_old_spnego
+ option for testing.
+ * BUG 11850: NetAPP SMB servers don't negotiate NTLMSSP_SIGN.
+ * BUG 11858: Allow anonymous smb connections.
+ * BUG 11870: Fix ads_sasl_spnego_gensec_bind(KRB5).
+ * BUG 11872: Fix 'wbinfo -u' and 'net ads search'.
+
+
+o Jose A. Rivera <[email protected]>
+ * BUG 11727: s3:smbd:open: Skip redundant call to file_set_dosmode when
+ creating a new file.
+
+
+o Andreas Schneider <[email protected]>
+ * BUG 11690: docs: Add smbspool_krb5_wrapper manpage.
+
+
+o Jorge Schrauwen <[email protected]>
+ * BUG 11816: configure: Don't check for inotify on illumos.
+
+
+o Martin Schwenke <[email protected]>
+ * BUG 11719: ctdb-scripts: Drop use of "smbcontrol winbindd ip-dropped ...".
+
+
+o Uri Simchoni <[email protected]>
+ * BUG 11852: libads: Record session expiry for spnego sasl binds.
+
+
+o Hemanth Thummala <[email protected]>
+ * BUG 11708: loadparm: Fix memory leak issue.
+ * BUG 11740: Real memory leak(buildup) issue in loadparm.
+
+
+o Jelmer Vernooij <[email protected]>
+ * BUG 11771: tevent: Only set public headers field when installing as a
+ public library.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+
+ ==============================
Release Notes for Samba 4.2.11
April 12, 2016
==============================
@@ -16,8 +146,9 @@ o Stefan Metzmacher <[email protected]>
* Bug 11804 - prerequisite backports for the security release on
April 12th, 2016
-Release notes for the original 4.2.10 release follows:
-------------------------------------------------------
+
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 4.2.10
@@ -570,11 +701,6 @@ database (https://bugzilla.samba.org/).
== The Samba Team
======================================================================
-
-Release notes for older releases follow:
-----------------------------------------
-
-
=============================
Release Notes for Samba 4.2.9
March 8, 2016
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 1d4b172..6a82b5f 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -59,6 +59,8 @@ struct spnego_state {
bool needs_mic_check;
bool done_mic_check;
+ bool simulate_w2k;
+
/*
* The following is used to implement
* the update token fragmentation
@@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct
gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k =
gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k",
false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct
gensec_security *gensec_securi
spnego_state->out_max_length = gensec_max_update_size(gensec_security);
spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ spnego_state->simulate_w2k =
gensec_setting_bool(gensec_security->settings,
+ "spnego", "simulate_w2k",
false);
+
gensec_security->private_data = spnego_state;
return NT_STATUS_OK;
}
@@ -661,7 +669,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct
gensec_security *gensec
talloc_free(spnego_state->sub_sec_security);
spnego_state->sub_sec_security = NULL;
- DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n",
nt_errstr(nt_status)));
+ DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n",
nt_errstr(nt_status)));
return nt_status;
}
@@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
spnego.negTokenInit.mechToken,
&unwrapped_out);
+ if (spnego_state->simulate_w2k) {
+ /*
+ * Windows 2000 returns the unwrapped token
+ * also in the mech_list_mic field.
+ *
+ * In order to verify our client code,
+ * we need a way to have a server with this
+ * broken behaviour
+ */
+ mech_list_mic = unwrapped_out;
+ }
+
nt_status =
gensec_spnego_server_negTokenTarg(spnego_state,
out_mem_ctx,
nt_status,
unwrapped_out,
-
null_data_blob,
+
mech_list_mic,
out);
spnego_free_data(&spnego);
@@ -885,6 +905,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security
*gensec_security, TA
case SPNEGO_SERVER_TARG:
{
NTSTATUS nt_status;
+ bool have_sign = true;
bool new_spnego = false;
if (!in.length) {
@@ -947,18 +968,23 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
goto server_response;
}
+ have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
if (spnego.negTokenTarg.mechListMIC.length > 0) {
new_spnego = true;
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
- if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) {
nt_status =
gensec_check_packet(spnego_state->sub_sec_security,
spnego_state->mech_types.data,
spnego_state->mech_types.length,
@@ -1078,6 +1104,24 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
}
if (spnego.negTokenTarg.mechListMIC.length > 0) {
+ DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC;
+ const DATA_BLOB *r = &spnego.negTokenTarg.responseToken;
+
+ /*
+ * Windows 2000 has a bug, it repeats the
+ * responseToken in the mechListMIC field.
+ */
+ if (m->length == r->length) {
+ int cmp;
+
+ cmp = memcmp(m->data, r->data, m->length);
+ if (cmp == 0) {
+ data_blob_free(m);
+ }
+ }
+ }
+
+ if (spnego.negTokenTarg.mechListMIC.length > 0) {
if (spnego_state->no_response_expected) {
spnego_state->needs_mic_check = true;
}
@@ -1124,8 +1168,14 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
if (spnego_state->no_response_expected &&
!spnego_state->done_mic_check)
{
+ bool have_sign = true;
bool new_spnego = false;
+ have_sign =
gensec_have_feature(spnego_state->sub_sec_security,
+ GENSEC_FEATURE_SIGN);
+ if (spnego_state->simulate_w2k) {
+ have_sign = false;
+ }
new_spnego =
gensec_have_feature(spnego_state->sub_sec_security,
GENSEC_FEATURE_NEW_SPNEGO);
@@ -1152,16 +1202,12 @@ static NTSTATUS gensec_spnego_update(struct
gensec_security *gensec_security, TA
}
if (spnego_state->mic_requested) {
- bool sign;
-
- sign =
gensec_have_feature(spnego_state->sub_sec_security,
- GENSEC_FEATURE_SIGN);
- if (sign) {
+ if (have_sign) {
new_spnego = true;
}
}
- if (new_spnego) {
+ if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c
b/auth/ntlmssp/gensec_ntlmssp_server.c
index 6147b14..08a8c8f 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -130,20 +130,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct
gensec_security *gensec_security)
ntlmssp_state->allow_lm_key = true;
}
- if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) !=
NEVER_MAP_TO_GUEST) {
- /*
- * map to guest is not secure anyway, so
- * try to make it work and don't try to
- * negotiate new_spnego and MIC checking
- */
- ntlmssp_state->force_old_spnego = true;
- }
+ ntlmssp_state->force_old_spnego = false;
- if (role == ROLE_ACTIVE_DIRECTORY_DC) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server",
"force_old_spnego", false)) {
/*
- * map to guest is not supported on an AD DC.
+ * For testing Windows 2000 mode
*/
- ntlmssp_state->force_old_spnego = false;
+ ntlmssp_state->force_old_spnego = true;
}
ntlmssp_state->neg_flags =
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index b419615..5edd5f4 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct
gensec_security *gensec_security,
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
gensec_security->want_features |= GENSEC_FEATURE_SIGN;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
gensec_security->want_features |= GENSEC_FEATURE_SEAL;
-
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
- ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
+ ntlmssp_state->required_flags = 0;
if (DEBUGLEVEL >= 10) {
struct NEGOTIATE_MESSAGE *negotiate = talloc(
@@ -789,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security
*gensec_security)
ntlmssp_state->use_ntlmv2 =
lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
+ ntlmssp_state->force_old_spnego =
gensec_setting_bool(gensec_security->settings,
+ "ntlmssp_client",
"force_old_spnego", false);
+
ntlmssp_state->expected_state = NTLMSSP_INITIAL;
ntlmssp_state->neg_flags =
@@ -848,8 +846,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct
gensec_security *gensec_security)
* Without this, Windows will not create the master key
* that it thinks is only used for NTLMSSP signing and
* sealing. (It is actually pulled out and used directly)
+ *
+ * We don't require this here as some servers (e.g. NetAPP)
+ * doesn't support this.
*/
- ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
}
if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 9549641..3f13ccb 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -31,6 +31,9 @@
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_internal.h"
#include "auth/common_auth.h"
+#include "param/param.h"
+#include "param/loadparm.h"
+#include "libcli/security/session.h"
/**
* Determine correct target name flags for reply, given server role
@@ -698,6 +701,7 @@ static NTSTATUS ntlmssp_server_check_password(struct
gensec_security *gensec_sec
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
struct auth4_context *auth_context = gensec_security->auth_context;
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
+ struct auth_session_info *session_info = NULL;
struct auth_usersupplied_info *user_info;
user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
@@ -734,6 +738,42 @@ static NTSTATUS ntlmssp_server_check_password(struct
gensec_security *gensec_sec
NT_STATUS_NOT_OK_RETURN(nt_status);
+ if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) !=
NEVER_MAP_TO_GUEST
+ && auth_context->generate_session_info != NULL)
+ {
+ NTSTATUS tmp_status;
+
+ /*
+ * We need to check if the auth is anonymous or mapped to guest
+ */
+ tmp_status = auth_context->generate_session_info(auth_context,
mem_ctx,
+
gensec_ntlmssp->server_returned_info,
+
gensec_ntlmssp->ntlmssp_state->user,
+
AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
+ &session_info);
+ if (!NT_STATUS_IS_OK(tmp_status)) {
+ /*
+ * We don't care about failures,
+ * the worst result is that we try MIC checking
+ * for a map to guest authentication.
+ */
+ TALLOC_FREE(session_info);
+ }
+ }
+
+ if (session_info != NULL) {
+ if (security_session_user_level(session_info, NULL) <
SECURITY_USER) {
+ /*
+ * Anonymous and GUEST are not secure anyway.
+ * avoid new_spnego and MIC checking.
+ */
+ ntlmssp_state->new_spnego = false;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+ ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+ }
+ TALLOC_FREE(session_info);
+ }
+
talloc_steal(mem_ctx, user_session_key->data);
talloc_steal(mem_ctx, lm_session_key->data);
diff --git a/ctdb/config/events.d/11.natgw b/ctdb/config/events.d/11.natgw
index aef302c..5e10d1d 100755
--- a/ctdb/config/events.d/11.natgw
+++ b/ctdb/config/events.d/11.natgw
@@ -98,10 +98,6 @@ natgw_set_slave ()
_net="${_net_gw%@*}"
ip route add "$_net" via "$_natgwip" metric 10
done
-
- # Make sure winbindd does not stay bound to this address if we are
- # no longer NATGW master
- smbcontrol winbindd ip-dropped $CTDB_NATGW_PUBLIC_IP >/dev/null 2>&1
}
natgw_ensure_master ()
diff --git a/ctdb/config/events.d/49.winbind b/ctdb/config/events.d/49.winbind
index dee3c90..a1ea787 100755
--- a/ctdb/config/events.d/49.winbind
+++ b/ctdb/config/events.d/49.winbind
@@ -55,13 +55,6 @@ case "$1" in
ctdb_check_command wbinfo -p
;;
--
Samba Shared Repository
