samba: samba-team#1 apply redhat hot fix for samba-4.2.10

auth/gensec/spnego.c

@@ -59,6 +59,8 @@ struct spnego_state {
 	bool needs_mic_check;
 	bool done_mic_check;
 
+	bool simulate_w2k;
+
 	/*
 	 * The following is used to implement
 	 * the update token fragmentation
@@ -88,6 +90,9 @@ static NTSTATUS gensec_spnego_client_start(struct gensec_security *gensec_securi
 	spnego_state->out_max_length = gensec_max_update_size(gensec_security);
 	spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 
+	spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+						"spnego", "simulate_w2k", false);
+
 	gensec_security->private_data = spnego_state;
 	return NT_STATUS_OK;
 }
@@ -109,6 +114,9 @@ static NTSTATUS gensec_spnego_server_start(struct gensec_security *gensec_securi
 	spnego_state->out_max_length = gensec_max_update_size(gensec_security);
 	spnego_state->out_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
 
+	spnego_state->simulate_w2k = gensec_setting_bool(gensec_security->settings,
+						"spnego", "simulate_w2k", false);
+
 	gensec_security->private_data = spnego_state;
 	return NT_STATUS_OK;
 }
@@ -661,7 +669,7 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
 	talloc_free(spnego_state->sub_sec_security);
 	spnego_state->sub_sec_security = NULL;
 
-	DEBUG(1, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
+	DEBUG(10, ("Failed to setup SPNEGO negTokenInit request: %s\n", nt_errstr(nt_status)));
 	return nt_status;
 }
 
@@ -775,11 +783,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 								     spnego.negTokenInit.mechToken, 
 								     &unwrapped_out);
 
+			if (spnego_state->simulate_w2k) {
+				/*
+				 * Windows 2000 returns the unwrapped token
+				 * also in the mech_list_mic field.
+				 *
+				 * In order to verify our client code,
+				 * we need a way to have a server with this
+				 * broken behaviour
+				 */
+				mech_list_mic = unwrapped_out;
+			}
+
 			nt_status = gensec_spnego_server_negTokenTarg(spnego_state,
 								      out_mem_ctx,
 								      nt_status,
 								      unwrapped_out,
-								      null_data_blob,
+								      mech_list_mic,
 								      out);
 
 			spnego_free_data(&spnego);
@@ -885,6 +905,7 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 	case SPNEGO_SERVER_TARG:
 	{
 		NTSTATUS nt_status;
+		bool have_sign = true;
 		bool new_spnego = false;
 
 		if (!in.length) {
@@ -947,18 +968,23 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 			goto server_response;
 		}
 
+		have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+						GENSEC_FEATURE_SIGN);
+		if (spnego_state->simulate_w2k) {
+			have_sign = false;
+		}
 		new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
 						 GENSEC_FEATURE_NEW_SPNEGO);
 		if (spnego.negTokenTarg.mechListMIC.length > 0) {
 			new_spnego = true;
 		}
 
-		if (new_spnego) {
+		if (have_sign && new_spnego) {
 			spnego_state->needs_mic_check = true;
 			spnego_state->needs_mic_sign = true;
 		}
 
-		if (spnego.negTokenTarg.mechListMIC.length > 0) {
+		if (have_sign && spnego.negTokenTarg.mechListMIC.length > 0) {
 			nt_status = gensec_check_packet(spnego_state->sub_sec_security,
 							spnego_state->mech_types.data,
 							spnego_state->mech_types.length,
@@ -1077,6 +1103,24 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 			};
 		}
 
+		if (spnego.negTokenTarg.mechListMIC.length > 0) {
+			DATA_BLOB *m = &spnego.negTokenTarg.mechListMIC;
+			const DATA_BLOB *r = &spnego.negTokenTarg.responseToken;
+
+			/*
+			 * Windows 2000 has a bug, it repeats the
+			 * responseToken in the mechListMIC field.
+			 */
+			if (m->length == r->length) {
+				int cmp;
+
+				cmp = memcmp(m->data, r->data, m->length);
+				if (cmp == 0) {
+					data_blob_free(m);
+				}
+			}
+		}
+
 		if (spnego.negTokenTarg.mechListMIC.length > 0) {
 			if (spnego_state->no_response_expected) {
 				spnego_state->needs_mic_check = true;
@@ -1124,8 +1168,14 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 		if (spnego_state->no_response_expected &&
 		    !spnego_state->done_mic_check)
 		{
+			bool have_sign = true;
 			bool new_spnego = false;
 
+			have_sign = gensec_have_feature(spnego_state->sub_sec_security,
+							GENSEC_FEATURE_SIGN);
+			if (spnego_state->simulate_w2k) {
+				have_sign = false;
+			}
 			new_spnego = gensec_have_feature(spnego_state->sub_sec_security,
 							 GENSEC_FEATURE_NEW_SPNEGO);
 
@@ -1152,16 +1202,12 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 			}
 
 			if (spnego_state->mic_requested) {
-				bool sign;
-
-				sign = gensec_have_feature(spnego_state->sub_sec_security,
-							   GENSEC_FEATURE_SIGN);
-				if (sign) {
+				if (have_sign) {
 					new_spnego = true;
 				}
 			}
 
-			if (new_spnego) {
+			if (have_sign && new_spnego) {
 				spnego_state->needs_mic_check = true;
 				spnego_state->needs_mic_sign = true;
 			}

auth/ntlmssp/gensec_ntlmssp_server.c

@@ -130,20 +130,13 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
 		ntlmssp_state->allow_lm_key = true;
 	}
 
-	if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) {
-		/*
-		 * map to guest is not secure anyway, so
-		 * try to make it work and don't try to
-		 * negotiate new_spnego and MIC checking
-		 */
-		ntlmssp_state->force_old_spnego = true;
-	}
+	ntlmssp_state->force_old_spnego = false;
 
-	if (role == ROLE_ACTIVE_DIRECTORY_DC) {
+	if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "force_old_spnego", false)) {
 		/*
-		 * map to guest is not supported on an AD DC.
+		 * For testing Windows 2000 mode
 		 */
-		ntlmssp_state->force_old_spnego = false;
+		ntlmssp_state->force_old_spnego = true;
 	}
 
 	ntlmssp_state->neg_flags =

auth/ntlmssp/ntlmssp_client.c

@@ -172,19 +172,14 @@ NTSTATUS gensec_ntlmssp_resume_ccache(struct gensec_security *gensec_security,
 
 	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
 		gensec_security->want_features |= GENSEC_FEATURE_SIGN;
-
-		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
 	}
 
 	if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
 		gensec_security->want_features |= GENSEC_FEATURE_SEAL;
-
-		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
-		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
 	}
 
-	ntlmssp_state->neg_flags |= ntlmssp_state->required_flags;
 	ntlmssp_state->conf_flags = ntlmssp_state->neg_flags;
+	ntlmssp_state->required_flags = 0;
 
 	if (DEBUGLEVEL >= 10) {
 		struct NEGOTIATE_MESSAGE *negotiate = talloc(
@@ -789,6 +784,9 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 
 	ntlmssp_state->use_ntlmv2 = lpcfg_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
 
+	ntlmssp_state->force_old_spnego = gensec_setting_bool(gensec_security->settings,
+						"ntlmssp_client", "force_old_spnego", false);
+
 	ntlmssp_state->expected_state = NTLMSSP_INITIAL;
 
 	ntlmssp_state->neg_flags =
@@ -848,8 +846,11 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 		 * Without this, Windows will not create the master key
 		 * that it thinks is only used for NTLMSSP signing and
 		 * sealing.  (It is actually pulled out and used directly)
+		 *
+		 * We don't require this here as some servers (e.g. NetAPP)
+		 * doesn't support this.
 		 */
-		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;
+		ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
 	}
 	if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
 		ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SIGN;

auth/ntlmssp/ntlmssp_server.c

@@ -31,6 +31,9 @@
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_internal.h"
 #include "auth/common_auth.h"
+#include "param/param.h"
+#include "param/loadparm.h"
+#include "libcli/security/session.h"
 
 /**
  * Determine correct target name flags for reply, given server role
@@ -698,6 +701,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
 	struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
 	struct auth4_context *auth_context = gensec_security->auth_context;
 	NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
+	struct auth_session_info *session_info = NULL;
 	struct auth_usersupplied_info *user_info;
 
 	user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
@@ -734,6 +738,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
 
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
+	if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST
+	    && auth_context->generate_session_info != NULL)
+	{
+		NTSTATUS tmp_status;
+
+		/*
+		 * We need to check if the auth is anonymous or mapped to guest
+		 */
+		tmp_status = auth_context->generate_session_info(auth_context, mem_ctx,
+								 gensec_ntlmssp->server_returned_info,
+								 gensec_ntlmssp->ntlmssp_state->user,
+								 AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
+								 &session_info);
+		if (!NT_STATUS_IS_OK(tmp_status)) {
+			/*
+			 * We don't care about failures,
+			 * the worst result is that we try MIC checking
+			 * for a map to guest authentication.
+			 */
+			TALLOC_FREE(session_info);
+		}
+	}
+
+	if (session_info != NULL) {
+		if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
+			/*
+			 * Anonymous and GUEST are not secure anyway.
+			 * avoid new_spnego and MIC checking.
+			 */
+			ntlmssp_state->new_spnego = false;
+			ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+			ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+		}
+		TALLOC_FREE(session_info);
+	}
+
 	talloc_steal(mem_ctx, user_session_key->data);
 	talloc_steal(mem_ctx, lm_session_key->data);
 

docs-xml/smbdotconf/base/netbiosname.xml

@@ -11,6 +11,8 @@
 		the hosts DNS name) will be the name that these services are advertised under.
 		</para>
 
+		<para>Note that the maximum length for a NetBIOS name is 15 charactars.</para>
+
 		<para>
 		There is a bug in Samba that breaks operation of browsing and access to shares if the netbios name
 		is set to the literal name <literal>PIPE</literal>. To avoid this problem, do not name your Samba

lib/krb5_wrap/krb5_samba.c

@@ -2388,12 +2388,12 @@ static char *smb_krb5_get_default_realm_from_ccache(TALLOC_CTX *mem_ctx)
 		"Trying to read krb5 cache: %s\n",
 		krb5_cc_default_name(ctx)));
 	if (krb5_cc_default(ctx, &cc)) {
-		DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+		DEBUG(5,("kerberos_get_default_realm_from_ccache: "
 			"failed to read default cache\n"));
 		goto out;
 	}
 	if (krb5_cc_get_principal(ctx, cc, &princ)) {
-		DEBUG(0,("kerberos_get_default_realm_from_ccache: "
+		DEBUG(5,("kerberos_get_default_realm_from_ccache: "
 			"failed to get default principal\n"));
 		goto out;
 	}

libcli/auth/msrpc_parse.c

@@ -262,7 +262,11 @@ bool msrpc_parse(TALLOC_CTX *mem_ctx,
 
 			ps = va_arg(ap, char **);
 			if (len1 == 0 && len2 == 0) {
-				*ps = (char *)discard_const("");
+				*ps = talloc_strdup(mem_ctx, "");
+				if (*ps == NULL) {
+					ret = false;
+					goto cleanup;
+				}
 			} else {
 				/* make sure its in the right format - be strict */
 				if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
@@ -289,7 +293,11 @@ bool msrpc_parse(TALLOC_CTX *mem_ctx,
 						goto cleanup;
 					}
 				} else {
-					(*ps) = (char *)discard_const("");
+					*ps = talloc_strdup(mem_ctx, "");
+					if (*ps == NULL) {
+						ret = false;
+						goto cleanup;
+					}
 				}
 			}
 			break;
@@ -302,7 +310,11 @@ bool msrpc_parse(TALLOC_CTX *mem_ctx,
 			ps = (char **)va_arg(ap, char **);
 			/* make sure its in the right format - be strict */
 			if (len1 == 0 && len2 == 0) {
-				*ps = (char *)discard_const("");
+				*ps = talloc_strdup(mem_ctx, "");
+				if (*ps == NULL) {
+					ret = false;
+					goto cleanup;
+				}
 			} else {
 				if ((len1 != len2) || (ptr + len1 < ptr) || (ptr + len1 < len1) || (ptr + len1 > blob->length)) {
 					ret = false;
@@ -325,7 +337,11 @@ bool msrpc_parse(TALLOC_CTX *mem_ctx,
 						goto cleanup;
 					}
 				} else {
-					(*ps) = (char *)discard_const("");
+					*ps = talloc_strdup(mem_ctx, "");
+					if (*ps == NULL) {
+						ret = false;
+						goto cleanup;
+					}
 				}
 			}
 			break;

libcli/security/security_token.c

@@ -130,6 +130,11 @@ bool security_token_has_sid_string(const struct security_token *token, const cha
 	return ret;
 }
 
+bool security_token_has_builtin_guests(const struct security_token *token)
+{
+	return security_token_has_sid(token, &global_sid_Builtin_Guests);
+}
+
 bool security_token_has_builtin_administrators(const struct security_token *token)
 {
 	return security_token_has_sid(token, &global_sid_Builtin_Administrators);

libcli/security/security_token.h

@@ -51,6 +51,8 @@ bool security_token_has_sid(const struct security_token *token, const struct dom
 
 bool security_token_has_sid_string(const struct security_token *token, const char *sid_string);
 
+bool security_token_has_builtin_guests(const struct security_token *token);
+
 bool security_token_has_builtin_administrators(const struct security_token *token);
 
 bool security_token_has_nt_authenticated_users(const struct security_token *token);

libcli/security/session.c

@@ -38,6 +38,10 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
 		return SECURITY_ANONYMOUS;
 	}
 
+	if (security_token_has_builtin_guests(session_info->security_token)) {
+		return SECURITY_GUEST;
+	}
+
 	if (security_token_has_builtin_administrators(session_info->security_token)) {
 		return SECURITY_ADMINISTRATOR;
 	}