diff options
| author | Stefan Metzmacher <metze@samba.org> | 2018-05-07 14:50:27 +0200 |
|---|---|---|
| committer | Karolin Seeger <kseeger@samba.org> | 2018-06-04 09:55:28 +0200 |
| commit | 9cb645981ca5176a2f64b2a30313871a6b724dc4 (patch) | |
| tree | 008a8bd23ec629af77bcdd6b61aec1c328e12dc2 /auth | |
| parent | 7faa201daf4a716caeb1c5753bd507589a4dd550 (diff) | |
| download | samba-9cb645981ca5176a2f64b2a30313871a6b724dc4.tar.gz | |
auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server
This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!"
error messages, which were generated if the client only sends
NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP
connection.
This fixes a regession in the combination of commits
77adac8c3cd2f7419894d18db735782c9646a202 and
3a0b835408a6efa339e8b34333906bfe3aacd6e3.
We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end
of the authentication (as a server, while we already
do so at the beginning as a client).
As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE
(as an internal flag) in order to let us work as a
Windows using NTLMSSP for LDAP. Even if only signing is
negotiated during the authentication the following PDUs
will still be encrypted if NTLMSSP is used. This is exactly the
same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL.
I guess it's a bug in Windows, but we have to reimplement that
bug. Note this only applies to NTLMSSP and only to LDAP!
Signing only works fine for LDAP with Kerberos
or DCERPC and NTLMSSP.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144
(cherry picked from commit c7a3ce95ac4ce837d8fde36578b3b1f56c3ac2fa)
Diffstat (limited to 'auth')
| -rw-r--r-- | auth/ntlmssp/gensec_ntlmssp_server.c | 19 | ||||
| -rw-r--r-- | auth/ntlmssp/ntlmssp_server.c | 8 |
2 files changed, 8 insertions, 19 deletions
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c index c0e6cff5952..ab92f4d0c09 100644 --- a/auth/ntlmssp/gensec_ntlmssp_server.c +++ b/auth/ntlmssp/gensec_ntlmssp_server.c @@ -179,25 +179,6 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; - if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - } - if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - - if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) { - /* - * We need to handle NTLMSSP_NEGOTIATE_SIGN as - * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE - * is requested. - */ - ntlmssp_state->force_wrap_seal = true; - } - } - if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; - } if (role == ROLE_STANDALONE) { ntlmssp_state->server.is_standalone = true; diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c index 37ed2bc9565..140e89daeb1 100644 --- a/auth/ntlmssp/ntlmssp_server.c +++ b/auth/ntlmssp/ntlmssp_server.c @@ -1080,6 +1080,14 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security, data_blob_free(&ntlmssp_state->challenge_blob); if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) { + /* + * We need to handle NTLMSSP_NEGOTIATE_SIGN as + * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE + * is requested. + */ + ntlmssp_state->force_wrap_seal = true; + } nt_status = ntlmssp_sign_init(ntlmssp_state); } |