Attachment #6998 for bug #38827




From f3762dbb68a85abb26e81973bdec835bca9bee1b Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 26 Jun 2015 19:14:13 +1200
Subject: [PATCH 1/3] gensec: Add an option emulating another mode a client
 building GSSAPI/krb5 manually uses

This was seen in the wild, with a real NAS against the AD DC

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/auth/gensec/gensec_krb5.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index b1ecd18..56513c9 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -287,8 +287,15 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
 	const char *principal;
 	const char *hostname;
 	krb5_data in_data;
+	krb5_data *in_data_p = NULL;
 	struct tevent_context *previous_ev;
 
+	if (lpcfg_parm_bool(gensec_security->settings->lp_ctx,
+			    NULL, "gensec_krb5", "send_authenticator_checksum", true)) {
+		in_data.length = 0;
+		in_data_p = &in_data;
+	}
+	
 	gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
 
 	principal = gensec_get_target_principal(gensec_security);
@@ -314,7 +321,6 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
 		DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string));
 		return NT_STATUS_UNSUCCESSFUL;
 	}
-	in_data.length = 0;
 	
 	/* Do this every time, in case we have weird recursive issues here */
 	ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev, &previous_ev);
@@ -331,7 +337,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
 						&gensec_krb5_state->auth_context,
 						gensec_krb5_state->ap_req_options, 
 						target_principal,
-						&in_data, ccache_container->ccache, 
+						in_data_p, ccache_container->ccache, 
 						&gensec_krb5_state->enc_ticket);
 			krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context, 
 					    target_principal);
@@ -342,7 +348,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
 				  gensec_krb5_state->ap_req_options,
 				  gensec_get_target_service(gensec_security),
 				  hostname,
-				  &in_data, ccache_container->ccache, 
+				  in_data_p, ccache_container->ccache, 
 				  &gensec_krb5_state->enc_ticket);
 	}
 
-- 
2.1.4


From 13c983e3f312e6ef743981aae55e7d0020d67664 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 26 Jun 2015 19:14:56 +1200
Subject: [PATCH 2/3] heimdal: Allow a mode where the client sends no checksum
 at all

This was seen in the wild, with a real NAS against the AD DC

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 .../heimdal/lib/gssapi/krb5/accept_sec_context.c    | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
index 5a00e12..137f10a 100644
--- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
@@ -510,13 +510,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	    return ret;
 	}
 
-	if (authenticator->cksum == NULL) {
-	    krb5_free_authenticator(context, &authenticator);
-	    *minor_status = 0;
-	    return GSS_S_BAD_BINDINGS;
-	}
-
-        if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
+        if (authenticator->cksum != NULL
+	    && authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
             ret = _gsskrb5_verify_8003_checksum(minor_status,
 						input_chan_bindings,
 						authenticator->cksum,
@@ -527,7 +522,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	    if (ret) {
 		return ret;
 	    }
-        } else {
+        } else if (authenticator->cksum != NULL) {
 	    krb5_crypto crypto;
 
 	    kret = krb5_crypto_init(context,
@@ -565,7 +560,15 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
  	    ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
 	    if (ap_options & AP_OPTS_MUTUAL_REQUIRED)
 		ctx->flags |= GSS_C_MUTUAL_FLAG;
-        }
+        } else {
+	    /*
+	     * Windows also accepts no checksum, and some clients send
+	     * this, so here also ap_options to guess the mutual flag.
+	     */
+ 	    ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+	    if (ap_options & AP_OPTS_MUTUAL_REQUIRED)
+		ctx->flags |= GSS_C_MUTUAL_FLAG;
+	}
     }
 
     if(ctx->flags & GSS_C_MUTUAL_FLAG) {
-- 
2.1.4


From 7c6837a02af592b1c29b5695b014763d52925543 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 26 Jun 2015 19:15:31 +1200
Subject: [PATCH 3/3] selftest: Add test for GSSAPI with no authenticator
 checksum mode

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/selftest/tests.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index ff675ba..508ac6a 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -182,6 +182,7 @@ for env in ["dc", "fl2000dc", "fl2003dc"
     plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--option=gensec:target_hostname=$NETBIOSNAME', 'rpc.lsa.secrets'], "samba4.rpc.lsa.secrets on %s with Kerberos" % (transport,))
     plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use target principal" % (transport,))
     plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login" % transport)
+    plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME', '--option=gensec_krb5:send_authenticator_checksum=false'], "samba4.rpc.lsa.secrets on %s with Kerberos - use raw-krb5-no-authenticator-checksum style login" % transport)
     plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:fake_gssapi_krb5=yes', '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login, use target principal" % transport)
     for transport in transports:
         plansmbtorture4testsuite('rpc.echo', env, ["%s:$SERVER[]" % (transport,), '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.echo on %s" % (transport, ))
-- 
2.1.4


Line 10000 Link Here

(-)samba-4.2.2.orig/debian/patches/series (+1 lines)
	10000	98_allow-no-checksum.patch

Return to bug 38827

Line 0 Link Here

(-)samba-4.2.2.orig/debian/patches/98_allow-no-checksum.patch (+152 lines)
		1	From f3762dbb68a85abb26e81973bdec835bca9bee1b Mon Sep 17 00:00:00 2001
		2	From: Andrew Bartlett <abartlet@samba.org>
		3	Date: Fri, 26 Jun 2015 19:14:13 +1200
		4	Subject: [PATCH 1/3] gensec: Add an option emulating another mode a client
		5	building GSSAPI/krb5 manually uses
		6
		7	This was seen in the wild, with a real NAS against the AD DC
		8
		9	Signed-off-by: Andrew Bartlett <abartlet@samba.org>
		10	---
		11	source4/auth/gensec/gensec_krb5.c \| 12 +++++++++---
		12	1 file changed, 9 insertions(+), 3 deletions(-)
		13
		14	diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
		15	index b1ecd18..56513c9 100644
		16	--- a/source4/auth/gensec/gensec_krb5.c
		17	+++ b/source4/auth/gensec/gensec_krb5.c
		18	@@ -287,8 +287,15 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
		19	const char *principal;
		20	const char *hostname;
		21	krb5_data in_data;
		22	+ krb5_data *in_data_p = NULL;
		23	struct tevent_context *previous_ev;
		24
		25	+ if (lpcfg_parm_bool(gensec_security->settings->lp_ctx,
		26	+ NULL, "gensec_krb5", "send_authenticator_checksum", true)) {
		27	+ in_data.length = 0;
		28	+ in_data_p = &in_data;
		29	+ }
		30	+
		31	gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
		32
		33	principal = gensec_get_target_principal(gensec_security);
		34	@@ -314,7 +321,6 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
		35	DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string));
		36	return NT_STATUS_UNSUCCESSFUL;
		37	}
		38	- in_data.length = 0;
		39
		40	/* Do this every time, in case we have weird recursive issues here */
		41	ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev, &previous_ev);
		42	@@ -331,7 +337,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
		43	&gensec_krb5_state->auth_context,
		44	gensec_krb5_state->ap_req_options,
		45	target_principal,
		46	- &in_data, ccache_container->ccache,
		47	+ in_data_p, ccache_container->ccache,
		48	&gensec_krb5_state->enc_ticket);
		49	krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context,
		50	target_principal);
		51	@@ -342,7 +348,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
		52	gensec_krb5_state->ap_req_options,
		53	gensec_get_target_service(gensec_security),
		54	hostname,
		55	- &in_data, ccache_container->ccache,
		56	+ in_data_p, ccache_container->ccache,
		57	&gensec_krb5_state->enc_ticket);
		58	}
		59
		60	--
		61	2.1.4
		62
		63
		64	From 13c983e3f312e6ef743981aae55e7d0020d67664 Mon Sep 17 00:00:00 2001
65	From: Andrew Bartlett <abartlet@samba.org>
66	Date: Fri, 26 Jun 2015 19:14:56 +1200
67	Subject: [PATCH 2/3] heimdal: Allow a mode where the client sends no checksum
68	at all
69
70	This was seen in the wild, with a real NAS against the AD DC
71
72	Signed-off-by: Andrew Bartlett <abartlet@samba.org>
73	---
74	.../heimdal/lib/gssapi/krb5/accept_sec_context.c \| 21 ++++++++++++---------
75	1 file changed, 12 insertions(+), 9 deletions(-)
76
77	diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
78	index 5a00e12..137f10a 100644
79	--- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
80	+++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
81	@@ -510,13 +510,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
82	return ret;
83	}
84
85	- if (authenticator->cksum == NULL) {
86	- krb5_free_authenticator(context, &authenticator);
87	- *minor_status = 0;
88	- return GSS_S_BAD_BINDINGS;
89	- }
90	-
91	- if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
92	+ if (authenticator->cksum != NULL
93	+ && authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
94	ret = _gsskrb5_verify_8003_checksum(minor_status,
95	input_chan_bindings,
96	authenticator->cksum,
97	@@ -527,7 +522,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
98	if (ret) {
99	return ret;
100	}
101	- } else {
102	+ } else if (authenticator->cksum != NULL) {
103	krb5_crypto crypto;
104
105	kret = krb5_crypto_init(context,
106	@@ -565,7 +560,15 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
107	ctx->flags = GSS_C_REPLAY_FLAG \| GSS_C_SEQUENCE_FLAG;
108	if (ap_options & AP_OPTS_MUTUAL_REQUIRED)
109	ctx->flags \|= GSS_C_MUTUAL_FLAG;
110	- }
111	+ } else {
112	+ /*
113	+ * Windows also accepts no checksum, and some clients send
114	+ * this, so here also ap_options to guess the mutual flag.
115	+ */
116	+ ctx->flags = GSS_C_REPLAY_FLAG \| GSS_C_SEQUENCE_FLAG;
117	+ if (ap_options & AP_OPTS_MUTUAL_REQUIRED)
118	+ ctx->flags \|= GSS_C_MUTUAL_FLAG;
119	+ }
120	}
121
122	if(ctx->flags & GSS_C_MUTUAL_FLAG) {
123	--
124	2.1.4
125
126
127	From 7c6837a02af592b1c29b5695b014763d52925543 Mon Sep 17 00:00:00 2001
128	From: Andrew Bartlett <abartlet@samba.org>
129	Date: Fri, 26 Jun 2015 19:15:31 +1200
130	Subject: [PATCH 3/3] selftest: Add test for GSSAPI with no authenticator
131	checksum mode
132
133	Signed-off-by: Andrew Bartlett <abartlet@samba.org>
134	---
135	source4/selftest/tests.py \| 1 +
136	1 file changed, 1 insertion(+)
137
138	diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
139	index ff675ba..508ac6a 100755
140	--- a/source4/selftest/tests.py
141	+++ b/source4/selftest/tests.py
142	@@ -182,6 +182,7 @@ for env in ["dc", "fl2000dc", "fl2003dc"
143	plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--option=gensec:target_hostname=$NETBIOSNAME', 'rpc.lsa.secrets'], "samba4.rpc.lsa.secrets on %s with Kerberos" % (transport,))
144	plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use target principal" % (transport,))
145	plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login" % transport)
146	+ plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME', '--option=gensec_krb5:send_authenticator_checksum=false'], "samba4.rpc.lsa.secrets on %s with Kerberos - use raw-krb5-no-authenticator-checksum style login" % transport)
147	plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:fake_gssapi_krb5=yes', '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login, use target principal" % transport)
148	for transport in transports:
149	plansmbtorture4testsuite('rpc.echo', env, ["%s:$SERVER[]" % (transport,), '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.echo on %s" % (transport, ))
150	--
151	2.1.4
152