Univention Bugzilla – Attachment 6998 Details for
Bug 38827
Huawei Unified Storage System S5500 V3 fails to join UCS AD domain
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
98_allow-no-checksum.patch
98_allow-no-checksum.patch (text/plain), 7.88 KB, created by
Janis Meybohm
on 2015-07-03 09:04:46 CEST
(
hide
)
Description:
98_allow-no-checksum.patch
Filename:
MIME Type:
Creator:
Janis Meybohm
Created:
2015-07-03 09:04:46 CEST
Size:
7.88 KB
patch
obsolete
>Additional (#2) Patch for Ticket#: 2015061621000357 > >diff -Nuar samba-4.2.2.orig/debian/patches/98_allow-no-checksum.patch samba-4.2.2/debian/patches//98_allow-no-checksum.patch >--- samba-4.2.2.orig/debian/patches/98_allow-no-checksum.patch 1970-01-01 01:00:00.000000000 +0100 >+++ samba-4.2.2/debian/patches//98_allow-no-checksum.patch 2015-06-30 11:31:28.000000000 +0200 >@@ -0,0 +1,152 @@ >+From f3762dbb68a85abb26e81973bdec835bca9bee1b Mon Sep 17 00:00:00 2001 >+From: Andrew Bartlett <abartlet@samba.org> >+Date: Fri, 26 Jun 2015 19:14:13 +1200 >+Subject: [PATCH 1/3] gensec: Add an option emulating another mode a client >+ building GSSAPI/krb5 manually uses >+ >+This was seen in the wild, with a real NAS against the AD DC >+ >+Signed-off-by: Andrew Bartlett <abartlet@samba.org> >+--- >+ source4/auth/gensec/gensec_krb5.c | 12 +++++++++--- >+ 1 file changed, 9 insertions(+), 3 deletions(-) >+ >+diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c >+index b1ecd18..56513c9 100644 >+--- a/source4/auth/gensec/gensec_krb5.c >++++ b/source4/auth/gensec/gensec_krb5.c >+@@ -287,8 +287,15 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s >+ const char *principal; >+ const char *hostname; >+ krb5_data in_data; >++ krb5_data *in_data_p = NULL; >+ struct tevent_context *previous_ev; >+ >++ if (lpcfg_parm_bool(gensec_security->settings->lp_ctx, >++ NULL, "gensec_krb5", "send_authenticator_checksum", true)) { >++ in_data.length = 0; >++ in_data_p = &in_data; >++ } >++ >+ gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; >+ >+ principal = gensec_get_target_principal(gensec_security); >+@@ -314,7 +321,6 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s >+ DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string)); >+ return NT_STATUS_UNSUCCESSFUL; >+ } >+- in_data.length = 0; >+ >+ /* Do this every time, in case we have weird recursive issues here */ >+ ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev, &previous_ev); >+@@ -331,7 +337,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s >+ &gensec_krb5_state->auth_context, >+ gensec_krb5_state->ap_req_options, >+ target_principal, >+- &in_data, ccache_container->ccache, >++ in_data_p, ccache_container->ccache, >+ &gensec_krb5_state->enc_ticket); >+ krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context, >+ target_principal); >+@@ -342,7 +348,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s >+ gensec_krb5_state->ap_req_options, >+ gensec_get_target_service(gensec_security), >+ hostname, >+- &in_data, ccache_container->ccache, >++ in_data_p, ccache_container->ccache, >+ &gensec_krb5_state->enc_ticket); >+ } >+ >+-- >+2.1.4 >+ >+ >+From 13c983e3f312e6ef743981aae55e7d0020d67664 Mon Sep 17 00:00:00 2001 >+From: Andrew Bartlett <abartlet@samba.org> >+Date: Fri, 26 Jun 2015 19:14:56 +1200 >+Subject: [PATCH 2/3] heimdal: Allow a mode where the client sends no checksum >+ at all >+ >+This was seen in the wild, with a real NAS against the AD DC >+ >+Signed-off-by: Andrew Bartlett <abartlet@samba.org> >+--- >+ .../heimdal/lib/gssapi/krb5/accept_sec_context.c | 21 ++++++++++++--------- >+ 1 file changed, 12 insertions(+), 9 deletions(-) >+ >+diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c >+index 5a00e12..137f10a 100644 >+--- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c >++++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c >+@@ -510,13 +510,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, >+ return ret; >+ } >+ >+- if (authenticator->cksum == NULL) { >+- krb5_free_authenticator(context, &authenticator); >+- *minor_status = 0; >+- return GSS_S_BAD_BINDINGS; >+- } >+- >+- if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { >++ if (authenticator->cksum != NULL >++ && authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { >+ ret = _gsskrb5_verify_8003_checksum(minor_status, >+ input_chan_bindings, >+ authenticator->cksum, >+@@ -527,7 +522,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, >+ if (ret) { >+ return ret; >+ } >+- } else { >++ } else if (authenticator->cksum != NULL) { >+ krb5_crypto crypto; >+ >+ kret = krb5_crypto_init(context, >+@@ -565,7 +560,15 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, >+ ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; >+ if (ap_options & AP_OPTS_MUTUAL_REQUIRED) >+ ctx->flags |= GSS_C_MUTUAL_FLAG; >+- } >++ } else { >++ /* >++ * Windows also accepts no checksum, and some clients send >++ * this, so here also ap_options to guess the mutual flag. >++ */ >++ ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; >++ if (ap_options & AP_OPTS_MUTUAL_REQUIRED) >++ ctx->flags |= GSS_C_MUTUAL_FLAG; >++ } >+ } >+ >+ if(ctx->flags & GSS_C_MUTUAL_FLAG) { >+-- >+2.1.4 >+ >+ >+From 7c6837a02af592b1c29b5695b014763d52925543 Mon Sep 17 00:00:00 2001 >+From: Andrew Bartlett <abartlet@samba.org> >+Date: Fri, 26 Jun 2015 19:15:31 +1200 >+Subject: [PATCH 3/3] selftest: Add test for GSSAPI with no authenticator >+ checksum mode >+ >+Signed-off-by: Andrew Bartlett <abartlet@samba.org> >+--- >+ source4/selftest/tests.py | 1 + >+ 1 file changed, 1 insertion(+) >+ >+diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py >+index ff675ba..508ac6a 100755 >+--- a/source4/selftest/tests.py >++++ b/source4/selftest/tests.py >+@@ -182,6 +182,7 @@ for env in ["dc", "fl2000dc", "fl2003dc" >+ plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--option=gensec:target_hostname=$NETBIOSNAME', 'rpc.lsa.secrets'], "samba4.rpc.lsa.secrets on %s with Kerberos" % (transport,)) >+ plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use target principal" % (transport,)) >+ plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login" % transport) >++ plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME', '--option=gensec_krb5:send_authenticator_checksum=false'], "samba4.rpc.lsa.secrets on %s with Kerberos - use raw-krb5-no-authenticator-checksum style login" % transport) >+ plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:fake_gssapi_krb5=yes', '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login, use target principal" % transport) >+ for transport in transports: >+ plansmbtorture4testsuite('rpc.echo', env, ["%s:$SERVER[]" % (transport,), '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.echo on %s" % (transport, )) >+-- >+2.1.4 >+ >diff -Nuar samba-4.2.2.orig/debian/patches/series samba-4.2.2/debian/patches//series >--- samba-4.2.2.orig/debian/patches/series 2015-06-30 11:15:36.000000000 +0200 >+++ samba-4.2.2/debian/patches//series 2015-06-30 11:31:28.000000000 +0200 >@@ -10000,0 +10000,1 @@ >+98_allow-no-checksum.patch
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=6998">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 38827
:
6997
| 6998 |
6999