Additional (#2) Patch for Ticket#: 2015061621000357 diff -Nuar samba-4.2.2.orig/debian/patches/98_allow-no-checksum.patch samba-4.2.2/debian/patches//98_allow-no-checksum.patch --- samba-4.2.2.orig/debian/patches/98_allow-no-checksum.patch 1970-01-01 01:00:00.000000000 +0100 +++ samba-4.2.2/debian/patches//98_allow-no-checksum.patch 2015-06-30 11:31:28.000000000 +0200 @@ -0,0 +1,152 @@ +From f3762dbb68a85abb26e81973bdec835bca9bee1b Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Fri, 26 Jun 2015 19:14:13 +1200 +Subject: [PATCH 1/3] gensec: Add an option emulating another mode a client + building GSSAPI/krb5 manually uses + +This was seen in the wild, with a real NAS against the AD DC + +Signed-off-by: Andrew Bartlett +--- + source4/auth/gensec/gensec_krb5.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c +index b1ecd18..56513c9 100644 +--- a/source4/auth/gensec/gensec_krb5.c ++++ b/source4/auth/gensec/gensec_krb5.c +@@ -287,8 +287,15 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s + const char *principal; + const char *hostname; + krb5_data in_data; ++ krb5_data *in_data_p = NULL; + struct tevent_context *previous_ev; + ++ if (lpcfg_parm_bool(gensec_security->settings->lp_ctx, ++ NULL, "gensec_krb5", "send_authenticator_checksum", true)) { ++ in_data.length = 0; ++ in_data_p = &in_data; ++ } ++ + gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; + + principal = gensec_get_target_principal(gensec_security); +@@ -314,7 +321,6 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s + DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string)); + return NT_STATUS_UNSUCCESSFUL; + } +- in_data.length = 0; + + /* Do this every time, in case we have weird recursive issues here */ + ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev, &previous_ev); +@@ -331,7 +337,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s + &gensec_krb5_state->auth_context, + gensec_krb5_state->ap_req_options, + target_principal, +- &in_data, ccache_container->ccache, ++ in_data_p, ccache_container->ccache, + &gensec_krb5_state->enc_ticket); + krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context, + target_principal); +@@ -342,7 +348,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s + gensec_krb5_state->ap_req_options, + gensec_get_target_service(gensec_security), + hostname, +- &in_data, ccache_container->ccache, ++ in_data_p, ccache_container->ccache, + &gensec_krb5_state->enc_ticket); + } + +-- +2.1.4 + + +From 13c983e3f312e6ef743981aae55e7d0020d67664 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Fri, 26 Jun 2015 19:14:56 +1200 +Subject: [PATCH 2/3] heimdal: Allow a mode where the client sends no checksum + at all + +This was seen in the wild, with a real NAS against the AD DC + +Signed-off-by: Andrew Bartlett +--- + .../heimdal/lib/gssapi/krb5/accept_sec_context.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c +index 5a00e12..137f10a 100644 +--- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c ++++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c +@@ -510,13 +510,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, + return ret; + } + +- if (authenticator->cksum == NULL) { +- krb5_free_authenticator(context, &authenticator); +- *minor_status = 0; +- return GSS_S_BAD_BINDINGS; +- } +- +- if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { ++ if (authenticator->cksum != NULL ++ && authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { + ret = _gsskrb5_verify_8003_checksum(minor_status, + input_chan_bindings, + authenticator->cksum, +@@ -527,7 +522,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, + if (ret) { + return ret; + } +- } else { ++ } else if (authenticator->cksum != NULL) { + krb5_crypto crypto; + + kret = krb5_crypto_init(context, +@@ -565,7 +560,15 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, + ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; + if (ap_options & AP_OPTS_MUTUAL_REQUIRED) + ctx->flags |= GSS_C_MUTUAL_FLAG; +- } ++ } else { ++ /* ++ * Windows also accepts no checksum, and some clients send ++ * this, so here also ap_options to guess the mutual flag. ++ */ ++ ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; ++ if (ap_options & AP_OPTS_MUTUAL_REQUIRED) ++ ctx->flags |= GSS_C_MUTUAL_FLAG; ++ } + } + + if(ctx->flags & GSS_C_MUTUAL_FLAG) { +-- +2.1.4 + + +From 7c6837a02af592b1c29b5695b014763d52925543 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Fri, 26 Jun 2015 19:15:31 +1200 +Subject: [PATCH 3/3] selftest: Add test for GSSAPI with no authenticator + checksum mode + +Signed-off-by: Andrew Bartlett +--- + source4/selftest/tests.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py +index ff675ba..508ac6a 100755 +--- a/source4/selftest/tests.py ++++ b/source4/selftest/tests.py +@@ -182,6 +182,7 @@ for env in ["dc", "fl2000dc", "fl2003dc" + plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--option=gensec:target_hostname=$NETBIOSNAME', 'rpc.lsa.secrets'], "samba4.rpc.lsa.secrets on %s with Kerberos" % (transport,)) + plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use target principal" % (transport,)) + plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login" % transport) ++ plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME', '--option=gensec_krb5:send_authenticator_checksum=false'], "samba4.rpc.lsa.secrets on %s with Kerberos - use raw-krb5-no-authenticator-checksum style login" % transport) + plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:fake_gssapi_krb5=yes', '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login, use target principal" % transport) + for transport in transports: + plansmbtorture4testsuite('rpc.echo', env, ["%s:$SERVER[]" % (transport,), '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.echo on %s" % (transport, )) +-- +2.1.4 + diff -Nuar samba-4.2.2.orig/debian/patches/series samba-4.2.2/debian/patches//series --- samba-4.2.2.orig/debian/patches/series 2015-06-30 11:15:36.000000000 +0200 +++ samba-4.2.2/debian/patches//series 2015-06-30 11:31:28.000000000 +0200 @@ -10000,0 +10000,1 @@ +98_allow-no-checksum.patch