auth/ntlmssp: enforce NTLMSSP_NEGOTIATE_NTLM2 for the NTLMv2 client case

Some servers may not announce the NTLMSSP_NEGOTIATE_NTLM2
(a.k.a. NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) bit.

But if we're acting as a client using NTLMv2 we need to
enforce this flag, because it's not really a negotiationable
in that case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12862

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

1 files changed, 21 insertions, 0 deletions

diff --git a/auth/ntlmssp/ntlmssp_util.c b/auth/ntlmssp/ntlmssp_util.c
index 4ae6101f025..9c7325a23e0 100644
--- a/auth/ntlmssp/ntlmssp_util.c
+++ b/auth/ntlmssp/ntlmssp_util.c
@@ -75,6 +75,27 @@ NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
 {
 	uint32_t missing_flags = ntlmssp_state->required_flags;
 
+	if (ntlmssp_state->use_ntlmv2) {
+		/*
+		 * Using NTLMv2 as a client implies
+		 * using NTLMSSP_NEGOTIATE_NTLM2
+		 * (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
+		 *
+		 * Note that 'use_ntlmv2' is only set
+		 * true in the client case.
+		 *
+		 * Even if the server has a bug and does not announce
+		 * it, we need to assume it's present.
+		 *
+		 * Note that we also have the flag
+		 * in ntlmssp_state->required_flags,
+		 * see gensec_ntlmssp_client_start().
+		 *
+		 * See bug #12862.
+		 */
+		flags |= NTLMSSP_NEGOTIATE_NTLM2;
+	}
+
 	if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
 		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
 		ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;