Attachment #6998 for bug #38827




From f3762dbb68a85abb26e81973bdec835bca9bee1b Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 26 Jun 2015 19:14:13 +1200
Subject: [PATCH 1/3] gensec: Add an option emulating another mode a client
 building GSSAPI/krb5 manually uses

This was seen in the wild, with a real NAS against the AD DC

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/auth/gensec/gensec_krb5.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index b1ecd18..56513c9 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -287,8 +287,15 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
 	const char *principal;
 	const char *hostname;
 	krb5_data in_data;
+	krb5_data *in_data_p = NULL;
 	struct tevent_context *previous_ev;
 
+	if (lpcfg_parm_bool(gensec_security->settings->lp_ctx,
+			    NULL, "gensec_krb5", "send_authenticator_checksum", true)) {
+		in_data.length = 0;
+		in_data_p = &in_data;
+	}
+	
 	gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
 
 	principal = gensec_get_target_principal(gensec_security);
@@ -314,7 +321,6 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
 		DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string));
 		return NT_STATUS_UNSUCCESSFUL;
 	}
-	in_data.length = 0;
 	
 	/* Do this every time, in case we have weird recursive issues here */
 	ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev, &previous_ev);
@@ -331,7 +337,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
 						&gensec_krb5_state->auth_context,
 						gensec_krb5_state->ap_req_options, 
 						target_principal,
-						&in_data, ccache_container->ccache, 
+						in_data_p, ccache_container->ccache, 
 						&gensec_krb5_state->enc_ticket);
 			krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context, 
 					    target_principal);
@@ -342,7 +348,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
 				  gensec_krb5_state->ap_req_options,
 				  gensec_get_target_service(gensec_security),
 				  hostname,
-				  &in_data, ccache_container->ccache, 
+				  in_data_p, ccache_container->ccache, 
 				  &gensec_krb5_state->enc_ticket);
 	}
 
-- 
2.1.4


From 13c983e3f312e6ef743981aae55e7d0020d67664 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 26 Jun 2015 19:14:56 +1200
Subject: [PATCH 2/3] heimdal: Allow a mode where the client sends no checksum
 at all

This was seen in the wild, with a real NAS against the AD DC

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 .../heimdal/lib/gssapi/krb5/accept_sec_context.c    | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
index 5a00e12..137f10a 100644
--- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
+++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c
@@ -510,13 +510,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	    return ret;
 	}
 
-	if (authenticator->cksum == NULL) {
-	    krb5_free_authenticator(context, &authenticator);
-	    *minor_status = 0;
-	    return GSS_S_BAD_BINDINGS;
-	}
-
-        if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
+        if (authenticator->cksum != NULL
+	    && authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
             ret = _gsskrb5_verify_8003_checksum(minor_status,
 						input_chan_bindings,
 						authenticator->cksum,
@@ -527,7 +522,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	    if (ret) {
 		return ret;
 	    }
-        } else {
+        } else if (authenticator->cksum != NULL) {
 	    krb5_crypto crypto;
 
 	    kret = krb5_crypto_init(context,
@@ -565,7 +560,15 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
  	    ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
 	    if (ap_options & AP_OPTS_MUTUAL_REQUIRED)
 		ctx->flags |= GSS_C_MUTUAL_FLAG;
-        }
+        } else {
+	    /*
+	     * Windows also accepts no checksum, and some clients send
+	     * this, so here also ap_options to guess the mutual flag.
+	     */
+ 	    ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+	    if (ap_options & AP_OPTS_MUTUAL_REQUIRED)
+		ctx->flags |= GSS_C_MUTUAL_FLAG;
+	}
     }
 
     if(ctx->flags & GSS_C_MUTUAL_FLAG) {
-- 
2.1.4


From 7c6837a02af592b1c29b5695b014763d52925543 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 26 Jun 2015 19:15:31 +1200
Subject: [PATCH 3/3] selftest: Add test for GSSAPI with no authenticator
 checksum mode

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/selftest/tests.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index ff675ba..508ac6a 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -182,6 +182,7 @@ for env in ["dc", "fl2000dc", "fl2003dc"
     plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--option=gensec:target_hostname=$NETBIOSNAME', 'rpc.lsa.secrets'], "samba4.rpc.lsa.secrets on %s with Kerberos" % (transport,))
     plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use target principal" % (transport,))
     plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login" % transport)
+    plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME', '--option=gensec_krb5:send_authenticator_checksum=false'], "samba4.rpc.lsa.secrets on %s with Kerberos - use raw-krb5-no-authenticator-checksum style login" % transport)
     plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:fake_gssapi_krb5=yes', '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login, use target principal" % transport)
     for transport in transports:
         plansmbtorture4testsuite('rpc.echo', env, ["%s:$SERVER[]" % (transport,), '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.echo on %s" % (transport, ))
-- 
2.1.4


(-)samba-4.2.2.orig/debian/patches/series (+1 lines)

Line 10000	Link Here

10000

98_allow-no-checksum.patch

Return to bug 38827