|
|
|
1 |
From f3762dbb68a85abb26e81973bdec835bca9bee1b Mon Sep 17 00:00:00 2001 |
2 |
From: Andrew Bartlett <abartlet@samba.org> |
3 |
Date: Fri, 26 Jun 2015 19:14:13 +1200 |
4 |
Subject: [PATCH 1/3] gensec: Add an option emulating another mode a client |
5 |
building GSSAPI/krb5 manually uses |
6 |
|
7 |
This was seen in the wild, with a real NAS against the AD DC |
8 |
|
9 |
Signed-off-by: Andrew Bartlett <abartlet@samba.org> |
10 |
--- |
11 |
source4/auth/gensec/gensec_krb5.c | 12 +++++++++--- |
12 |
1 file changed, 9 insertions(+), 3 deletions(-) |
13 |
|
14 |
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c |
15 |
index b1ecd18..56513c9 100644 |
16 |
--- a/source4/auth/gensec/gensec_krb5.c |
17 |
+++ b/source4/auth/gensec/gensec_krb5.c |
18 |
@@ -287,8 +287,15 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s |
19 |
const char *principal; |
20 |
const char *hostname; |
21 |
krb5_data in_data; |
22 |
+ krb5_data *in_data_p = NULL; |
23 |
struct tevent_context *previous_ev; |
24 |
|
25 |
+ if (lpcfg_parm_bool(gensec_security->settings->lp_ctx, |
26 |
+ NULL, "gensec_krb5", "send_authenticator_checksum", true)) { |
27 |
+ in_data.length = 0; |
28 |
+ in_data_p = &in_data; |
29 |
+ } |
30 |
+ |
31 |
gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; |
32 |
|
33 |
principal = gensec_get_target_principal(gensec_security); |
34 |
@@ -314,7 +321,6 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s |
35 |
DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string)); |
36 |
return NT_STATUS_UNSUCCESSFUL; |
37 |
} |
38 |
- in_data.length = 0; |
39 |
|
40 |
/* Do this every time, in case we have weird recursive issues here */ |
41 |
ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev, &previous_ev); |
42 |
@@ -331,7 +337,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s |
43 |
&gensec_krb5_state->auth_context, |
44 |
gensec_krb5_state->ap_req_options, |
45 |
target_principal, |
46 |
- &in_data, ccache_container->ccache, |
47 |
+ in_data_p, ccache_container->ccache, |
48 |
&gensec_krb5_state->enc_ticket); |
49 |
krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context, |
50 |
target_principal); |
51 |
@@ -342,7 +348,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s |
52 |
gensec_krb5_state->ap_req_options, |
53 |
gensec_get_target_service(gensec_security), |
54 |
hostname, |
55 |
- &in_data, ccache_container->ccache, |
56 |
+ in_data_p, ccache_container->ccache, |
57 |
&gensec_krb5_state->enc_ticket); |
58 |
} |
59 |
|
60 |
-- |
61 |
2.1.4 |
62 |
|
63 |
|
64 |
From 13c983e3f312e6ef743981aae55e7d0020d67664 Mon Sep 17 00:00:00 2001 |
65 |
From: Andrew Bartlett <abartlet@samba.org> |
66 |
Date: Fri, 26 Jun 2015 19:14:56 +1200 |
67 |
Subject: [PATCH 2/3] heimdal: Allow a mode where the client sends no checksum |
68 |
at all |
69 |
|
70 |
This was seen in the wild, with a real NAS against the AD DC |
71 |
|
72 |
Signed-off-by: Andrew Bartlett <abartlet@samba.org> |
73 |
--- |
74 |
.../heimdal/lib/gssapi/krb5/accept_sec_context.c | 21 ++++++++++++--------- |
75 |
1 file changed, 12 insertions(+), 9 deletions(-) |
76 |
|
77 |
diff --git a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c |
78 |
index 5a00e12..137f10a 100644 |
79 |
--- a/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c |
80 |
+++ b/source4/heimdal/lib/gssapi/krb5/accept_sec_context.c |
81 |
@@ -510,13 +510,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, |
82 |
return ret; |
83 |
} |
84 |
|
85 |
- if (authenticator->cksum == NULL) { |
86 |
- krb5_free_authenticator(context, &authenticator); |
87 |
- *minor_status = 0; |
88 |
- return GSS_S_BAD_BINDINGS; |
89 |
- } |
90 |
- |
91 |
- if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { |
92 |
+ if (authenticator->cksum != NULL |
93 |
+ && authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { |
94 |
ret = _gsskrb5_verify_8003_checksum(minor_status, |
95 |
input_chan_bindings, |
96 |
authenticator->cksum, |
97 |
@@ -527,7 +522,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, |
98 |
if (ret) { |
99 |
return ret; |
100 |
} |
101 |
- } else { |
102 |
+ } else if (authenticator->cksum != NULL) { |
103 |
krb5_crypto crypto; |
104 |
|
105 |
kret = krb5_crypto_init(context, |
106 |
@@ -565,7 +560,15 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, |
107 |
ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; |
108 |
if (ap_options & AP_OPTS_MUTUAL_REQUIRED) |
109 |
ctx->flags |= GSS_C_MUTUAL_FLAG; |
110 |
- } |
111 |
+ } else { |
112 |
+ /* |
113 |
+ * Windows also accepts no checksum, and some clients send |
114 |
+ * this, so here also ap_options to guess the mutual flag. |
115 |
+ */ |
116 |
+ ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; |
117 |
+ if (ap_options & AP_OPTS_MUTUAL_REQUIRED) |
118 |
+ ctx->flags |= GSS_C_MUTUAL_FLAG; |
119 |
+ } |
120 |
} |
121 |
|
122 |
if(ctx->flags & GSS_C_MUTUAL_FLAG) { |
123 |
-- |
124 |
2.1.4 |
125 |
|
126 |
|
127 |
From 7c6837a02af592b1c29b5695b014763d52925543 Mon Sep 17 00:00:00 2001 |
128 |
From: Andrew Bartlett <abartlet@samba.org> |
129 |
Date: Fri, 26 Jun 2015 19:15:31 +1200 |
130 |
Subject: [PATCH 3/3] selftest: Add test for GSSAPI with no authenticator |
131 |
checksum mode |
132 |
|
133 |
Signed-off-by: Andrew Bartlett <abartlet@samba.org> |
134 |
--- |
135 |
source4/selftest/tests.py | 1 + |
136 |
1 file changed, 1 insertion(+) |
137 |
|
138 |
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py |
139 |
index ff675ba..508ac6a 100755 |
140 |
--- a/source4/selftest/tests.py |
141 |
+++ b/source4/selftest/tests.py |
142 |
@@ -182,6 +182,7 @@ for env in ["dc", "fl2000dc", "fl2003dc" |
143 |
plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--option=gensec:target_hostname=$NETBIOSNAME', 'rpc.lsa.secrets'], "samba4.rpc.lsa.secrets on %s with Kerberos" % (transport,)) |
144 |
plansmbtorture4testsuite('rpc.lsa.secrets', env, ["%s:$SERVER[]" % (transport, ), '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use target principal" % (transport,)) |
145 |
plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login" % transport) |
146 |
+ plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=gensec:fake_gssapi_krb5=yes", '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME', '--option=gensec_krb5:send_authenticator_checksum=false'], "samba4.rpc.lsa.secrets on %s with Kerberos - use raw-krb5-no-authenticator-checksum style login" % transport) |
147 |
plansmbtorture4testsuite('rpc.lsa.secrets.none*', env, ["%s:$SERVER" % transport, '-k', 'yes', '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', "--option=clientusespnegoprincipal=yes", '--option=gensec:fake_gssapi_krb5=yes', '--option=gensec:gssapi_krb5=no', '--option=gensec:target_hostname=$NETBIOSNAME'], "samba4.rpc.lsa.secrets on %s with Kerberos - use Samba3 style login, use target principal" % transport) |
148 |
for transport in transports: |
149 |
plansmbtorture4testsuite('rpc.echo', env, ["%s:$SERVER[]" % (transport,), '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN'], "samba4.rpc.echo on %s" % (transport, )) |
150 |
-- |
151 |
2.1.4 |
152 |
|