summaryrefslogtreecommitdiff
path: root/auth/ntlmssp
Commit message (Collapse)AuthorAgeFilesLines
* auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a serverStefan Metzmacher2018-06-042-19/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!" error messages, which were generated if the client only sends NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP connection. This fixes a regession in the combination of commits 77adac8c3cd2f7419894d18db735782c9646a202 and 3a0b835408a6efa339e8b34333906bfe3aacd6e3. We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end of the authentication (as a server, while we already do so at the beginning as a client). As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE (as an internal flag) in order to let us work as a Windows using NTLMSSP for LDAP. Even if only signing is negotiated during the authentication the following PDUs will still be encrypted if NTLMSSP is used. This is exactly the same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL. I guess it's a bug in Windows, but we have to reimplement that bug. Note this only applies to NTLMSSP and only to LDAP! Signing only works fine for LDAP with Kerberos or DCERPC and NTLMSSP. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144 (cherry picked from commit c7a3ce95ac4ce837d8fde36578b3b1f56c3ac2fa)
* auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal optionStefan Metzmacher2018-06-041-7/+17
| | | | | | | | | | | | | This will be used to similate a Windows client only using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP connection, which is indicated internally by GENSEC_FEATURE_LDAP_STYLE. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 7f2bebf09cd8056b3f901dd9ff1fc9e9525f3e9d)
* define DBGC_AUTH classkkplein2018-01-086-0/+18
| | | | | | Signed-off-by: Mourik Jan C Heupink <heupink@merit.unu.edu> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/common: add support for auth4_ctx->check_ntlm_password_send/recv()Stefan Metzmacher2017-08-071-0/+65
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/ntlmssp: merge ntlmssp_server_check_password() into ↵Stefan Metzmacher2017-08-071-48/+22
| | | | | | | ntlmssp_server_auth_send() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/ntlmssp: introduce ntlmssp_server_auth_send/recvStefan Metzmacher2017-08-073-66/+81
| | | | | | | We still use the sync ntlmssp_server_check_password(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/ntlmssp: prepare update_send/recv for real async processingStefan Metzmacher2017-08-071-0/+48
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/ntlmssp: enforce NTLMSSP_NEGOTIATE_NTLM2 for the NTLMv2 client caseStefan Metzmacher2017-06-261-0/+21
| | | | | | | | | | | | | | Some servers may not announce the NTLMSSP_NEGOTIATE_NTLM2 (a.k.a. NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) bit. But if we're acting as a client using NTLMv2 we need to enforce this flag, because it's not really a negotiationable in that case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12862 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* auth/ntlmssp: make ntlmssp_server_check_password() shorterStefan Metzmacher2017-06-261-49/+53
| | | | | | | | | | We move as must as possible into ntlmssp_server_{pre,post}auth(). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Jun 26 13:07:30 CEST 2017 on sn-devel-144
* auth/ntlmssp: remove useless talloc_steal calls in ↵Stefan Metzmacher2017-06-261-2/+5
| | | | | | | | | | | | | ntlmssp_server_check_password() We only create a temporary auth_usersupplied_info structure and pass it down as const, lets keep the values on ntlmssp_state otherwise we may derefence stale pointers. We finally free the memory at the end of ntlmssp_server_postauth() now. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp: add implement gensec_ntlmssp_update_send/recv()Stefan Metzmacher2017-05-211-24/+57
| | | | | | | | Currently only backend functions are sync functions, but that needs to change in future. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp: make gensec_ntlmssp_update() staticStefan Metzmacher2017-05-212-11/+4
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp: rename 'input' to 'in' in gensec_ntlmssp_update()Stefan Metzmacher2017-05-211-3/+7
| | | | | | | This matches all other gensec modules. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp: remove unused variable from gensec_ntlmssp_update()Stefan Metzmacher2017-05-211-1/+0
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp: avoid using NT_STATUS_NOT_OK_RETURN() in gensec_ntlmssp_update()Stefan Metzmacher2017-05-211-2/+6
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp: remove mem_ctx=NULL handling from gensec_ntlmssp_update()Stefan Metzmacher2017-05-211-6/+0
| | | | | | | | The caller is expected always pass a valid context and this fallback was needed ages ago. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* gensec: Add a TALLOC_CTX * to gensec_register().Jeremy Allison2017-05-131-2/+2
| | | | | | | | Pass in the TALLOC_CTX * from the module init to remove another talloc_autofree_context() use. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
* lib: modules: Change XXX_init interface from XXX_init(void) to ↵Jeremy Allison2017-04-222-2/+2
| | | | | | | | | | | | | | | | | | | | XXX_init(TALLOC_CTX *) Not currently used - no logic changes inside. This will make it possible to pass down a long-lived talloc context from the loading function for modules to use instead of having them internally all use talloc_autofree_context() which is a hidden global. Updated all known module interface numbers, and added a WHATSNEW. Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Ralph Böhme <slow@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
* auth_log: Also log the final type of authentication (ntlmssp,krb5)Andrew Bartlett2017-03-292-1/+14
| | | | | | | | | Administrators really care about how their users were authenticated, so make this clear. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Always supply both the remote and local address to the auth subsystemAndrew Bartlett2017-03-291-0/+1
| | | | | | | | | | | This ensures that gensec, and then the NTLM auth subsystem under it, always gets the remote and local address pointers for potential logging. The local address allows us to know which interface an authentication is on Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Add "auth_description" to allow logs to distinguish simple bind (etc)Andrew Bartlett2017-03-291-0/+1
| | | | | | | | | This will allow the authentication log to indicate clearly how the password was supplied to the server. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* gensec: Pass service_description into auth_usersuppliedinfo during NTLMSSPAndrew Bartlett2017-03-291-0/+2
| | | | | | | | | This allows the GENSEC service description to be read at authentication time for logging, eg that the user authenticated to the SAMR server Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: Add SID_NT_NTLM_AUTHENTICATION / S-1-5-64-10 to the token during NTLM authAndrew Bartlett2017-03-271-0/+1
| | | | | | | | | So far this is only on the AD DC Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz> Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* auth: let auth4_context->check_ntlm_password() return pauthoritativeStefan Metzmacher2017-03-241-0/+3
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=2976 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* Correct "intialise" typos.Chris Lamb2017-02-221-1/+1
| | | | | | Signed-off-by: Chris Lamb <chris@chris-lamb.co.uk> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* ntlmssp: fix compilation with -O2 -fno-inlineDouglas Bagnall2017-02-101-0/+4
| | | | | | | | | | | Without inlining the function, GCC doesn't know that gensec_ntlmssp->ntlmssp_state->role always has a valid value. With inlining, this is obviously redundant but GCC clearly knows enough to detect this and elide the default case. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp: always allow NTLMSSP_NEGOTIATE_{SIGN,SEAL} in ↵Stefan Metzmacher2016-10-261-0/+8
| | | | | | | | gensec_ntlmssp_server_start() Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* auth/ntlmssp: add ntlmssp_{client,server}:force_old_spnego option for testingStefan Metzmacher2016-04-282-0/+10
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11849 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* auth/ntlmssp: do map to guest checking after the authenticationStefan Metzmacher2016-04-282-15/+41
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* auth/ntlmssp: don't require NTLMSSP_SIGN for smb connectionsStefan Metzmacher2016-04-281-1/+4
| | | | | | | | | | Enforcement of SMB signing is done at the SMB layer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* auth/ntlmssp: don't require any flags in the ccache_resume codeStefan Metzmacher2016-04-281-6/+1
| | | | | | | | | | | ntlmssp_client_challenge() already checks for required flags before asking winbindd. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11850 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC ↵Stefan Metzmacher2016-04-122-5/+202
| | | | | | | | | | | | | | | generation (as client) We now detect a MsvAvTimestamp in target info as indication of the server to support NTLMSSP_MIC in the AUTH_MESSAGE. If the client uses NTLMv2 we provide NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE and valid MIC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC ↵Stefan Metzmacher2016-04-124-12/+367
| | | | | | | | | | | | | | | | checking (as server) We now include a MsvAvTimestamp in our target info as indication for the client to include a NTLMSSP_MIC in the AUTH_MESSAGE. If the client uses NTLMv2 we check NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE and require a valid MIC. This is still disabled if the "map to guest" feature is used. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2016-2110: auth/credentials: pass server_timestamp to ↵Stefan Metzmacher2016-04-121-2/+3
| | | | | | | | | cli_credentials_get_ntlm_response() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2016-2110: auth/ntlmssp: implement gensec_ntlmssp_may_reset_crypto()Stefan Metzmacher2016-04-123-12/+55
| | | | | | | | | | | | | | | [MS-SPNG] requires the NTLMSSP RC4 states to be reset after the SPNEGO exchange with mechListMic verification (new_spnego). The 'reset_full' parameter is needed to support the broken behavior that windows only resets the RC4 states but not the sequence numbers. Which means this functionality is completely useless... But we want to work against all windows versions... BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide ↵Stefan Metzmacher2016-04-122-2/+2
| | | | | | | | | | | | | | | | GENSEC_FEATURE_SIGN It's important to check if got the GENSEC_FEATURE_SIGN and if the caller wanted it. The caller may only asked for GENSEC_FEATURE_SESSION_KEY which implicitly negotiates NTLMSSP_NEGOTIATE_SIGN, which might indicate GENSEC_FEATURE_SIGN to the SPNEGO glue code. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 ↵Stefan Metzmacher2016-04-121-1/+1
| | | | | | | | | (EXTENDED_SESSIONSECURITY) when using ntlmv2 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags ↵Stefan Metzmacher2016-04-121-8/+10
| | | | | | | | | depending on the requested features BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ↵Stefan Metzmacher2016-04-123-9/+21
| | | | | | | | | | | | ntlmssp_state->use_ntlmv2 ntlmssp_handle_neg_flags() can only disable flags, but not set them. All supported flags are set at start time. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTHStefan Metzmacher2016-04-121-0/+2
| | | | | | | | | | | | | | | man smb.conf says "client ntlmv2 auth = yes" the default disables, "client lanman auth = yes": ... Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2 logins will be attempted. ... BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_keyStefan Metzmacher2016-04-123-4/+10
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variablesStefan Metzmacher2016-04-124-0/+31
| | | | | | | | | We now give an error when required flags are missing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUSStefan Metzmacher2016-04-124-18/+33
| | | | | | | | | | In future we can do a more fine granted negotiation and assert specific security features. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAPStefan Metzmacher2016-03-101-44/+5
| | | | | | | | This is now handled by GENSEC_FEATURE_LDAP_STYLE. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Günther Deschner <gd@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLEStefan Metzmacher2016-03-101-0/+8
| | | | | | | | | | We want also work against old Samba servers which didn't had GENSEC_FEATURE_LDAP_STYLE we negotiate SEAL too. We may remove this in a few years. As all servers should support GENSEC_FEATURE_LDAP_STYLE by then. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLEStefan Metzmacher2016-03-104-0/+36
| | | | | | | | | | | | | We need to handle NTLMSSP_NEGOTIATE_SIGN as NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE is requested. This works arround a bug in Windows, which allow signed only messages using NTLMSSP and LDAP. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().Günther Deschner2016-03-102-10/+34
| | | | | | | | Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* auth/ntlmssp: use ntlmssp_version_blob() in the serverStefan Metzmacher2016-03-101-26/+1
| | | | | | | | | | We already set NTLMSSP_NEGOTIATE_VERSION in gensec_ntlmssp_server_start(), so it's always set in chal_flags. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSIONStefan Metzmacher2016-03-101-6/+11
| | | | | | | | This matches a modern Windows client. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* auth/ntlmssp: add ntlmssp_version_blob()Stefan Metzmacher2016-03-102-0/+36
| | | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
View Lorry Controller Status