From 31e168958987826ab7cce61b854daf2a8f3f2adb Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 9 May 2018 13:30:13 +0200 Subject: [PATCH 1/3] auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal option This will be used to similate a Windows client only using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP connection, which is indicated internally by GENSEC_FEATURE_LDAP_STYLE. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit 7f2bebf09cd8056b3f901dd9ff1fc9e9525f3e9d) --- auth/ntlmssp/ntlmssp_client.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c index db2003f0d6b..54fda41b534 100644 --- a/auth/ntlmssp/ntlmssp_client.c +++ b/auth/ntlmssp/ntlmssp_client.c @@ -865,13 +865,23 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) * is requested. */ ntlmssp_state->force_wrap_seal = true; - /* - * We want also work against old Samba servers - * which didn't had GENSEC_FEATURE_LDAP_STYLE - * we negotiate SEAL too. We may remove this - * in a few years. As all servers should have - * GENSEC_FEATURE_LDAP_STYLE by then. - */ + } + } + if (ntlmssp_state->force_wrap_seal) { + bool ret; + + /* + * We want also work against old Samba servers + * which didn't had GENSEC_FEATURE_LDAP_STYLE + * we negotiate SEAL too. We may remove this + * in a few years. As all servers should have + * GENSEC_FEATURE_LDAP_STYLE by then. + */ + ret = gensec_setting_bool(gensec_security->settings, + "ntlmssp_client", + "ldap_style_send_seal", + true); + if (ret) { ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL; } } -- 2.14.3 From 1734791570ff0eb57a04fef779a093c20c83ed9d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 9 May 2018 13:33:05 +0200 Subject: [PATCH 2/3] s4:selftest: run test_ldb_simple.sh with more auth options This demonstrates the broken GENSEC_FEATURE_LDAP_STYLE handling in our LDAP server. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett (cherry picked from commit fc1c5bd3be2c3f90eab2f31e43cf053f7ff13782) --- selftest/knownfail.d/ntlmssp_ldap_style_send_seal | 1 + source4/selftest/tests.py | 7 +++++++ 2 files changed, 8 insertions(+) create mode 100644 selftest/knownfail.d/ntlmssp_ldap_style_send_seal diff --git a/selftest/knownfail.d/ntlmssp_ldap_style_send_seal b/selftest/knownfail.d/ntlmssp_ldap_style_send_seal new file mode 100644 index 00000000000..0cd7cc2ea39 --- /dev/null +++ b/selftest/knownfail.d/ntlmssp_ldap_style_send_seal @@ -0,0 +1 @@ +^samba4.ldb.simple.ldap.*ldap_style_send_seal=no diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 621a61347bc..226617f3b6a 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -116,6 +116,13 @@ for env in ["ad_dc_ntvfs", "fl2008r2dc", "fl2003dc"]: '--option=clientldapsaslwrapping=plain', '--sign', '--encrypt', + '-k yes --option=clientldapsaslwrapping=plain', + '-k yes --sign', + '-k yes --encrypt', + '-k no --option=clientldapsaslwrapping=plain', + '-k no --sign --option=ntlmssp_client:ldap_style_send_seal=no', + '-k no --sign', + '-k no --encrypt', ] for auth_option in auth_options: -- 2.14.3 From 4b612bcfb938a49b2725e913a95004bd9fa6c3c3 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 7 May 2018 14:50:27 +0200 Subject: [PATCH 3/3] auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE as a server This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!" error messages, which were generated if the client only sends NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP connection. This fixes a regession in the combination of commits 77adac8c3cd2f7419894d18db735782c9646a202 and 3a0b835408a6efa339e8b34333906bfe3aacd6e3. We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end of the authentication (as a server, while we already do so at the beginning as a client). As a reminder I introduced GENSEC_FEATURE_LDAP_STYLE (as an internal flag) in order to let us work as a Windows using NTLMSSP for LDAP. Even if only signing is negotiated during the authentication the following PDUs will still be encrypted if NTLMSSP is used. This is exactly the same as if the client would have negotiated NTLMSSP_NEGOTIATE_SEAL. I guess it's a bug in Windows, but we have to reimplement that bug. Note this only applies to NTLMSSP and only to LDAP! Signing only works fine for LDAP with Kerberos or DCERPC and NTLMSSP. Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed May 16 03:26:03 CEST 2018 on sn-devel-144 (cherry picked from commit c7a3ce95ac4ce837d8fde36578b3b1f56c3ac2fa) --- auth/ntlmssp/gensec_ntlmssp_server.c | 19 ------------------- auth/ntlmssp/ntlmssp_server.c | 8 ++++++++ selftest/knownfail.d/ntlmssp_ldap_style_send_seal | 1 - 3 files changed, 8 insertions(+), 20 deletions(-) delete mode 100644 selftest/knownfail.d/ntlmssp_ldap_style_send_seal diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c index c0e6cff5952..ab92f4d0c09 100644 --- a/auth/ntlmssp/gensec_ntlmssp_server.c +++ b/auth/ntlmssp/gensec_ntlmssp_server.c @@ -179,25 +179,6 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; - if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - } - if (gensec_security->want_features & GENSEC_FEATURE_SIGN) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - - if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) { - /* - * We need to handle NTLMSSP_NEGOTIATE_SIGN as - * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE - * is requested. - */ - ntlmssp_state->force_wrap_seal = true; - } - } - if (gensec_security->want_features & GENSEC_FEATURE_SEAL) { - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; - ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; - } if (role == ROLE_STANDALONE) { ntlmssp_state->server.is_standalone = true; diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c index 37ed2bc9565..140e89daeb1 100644 --- a/auth/ntlmssp/ntlmssp_server.c +++ b/auth/ntlmssp/ntlmssp_server.c @@ -1080,6 +1080,14 @@ static NTSTATUS ntlmssp_server_postauth(struct gensec_security *gensec_security, data_blob_free(&ntlmssp_state->challenge_blob); if (gensec_ntlmssp_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + if (gensec_security->want_features & GENSEC_FEATURE_LDAP_STYLE) { + /* + * We need to handle NTLMSSP_NEGOTIATE_SIGN as + * NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE + * is requested. + */ + ntlmssp_state->force_wrap_seal = true; + } nt_status = ntlmssp_sign_init(ntlmssp_state); } diff --git a/selftest/knownfail.d/ntlmssp_ldap_style_send_seal b/selftest/knownfail.d/ntlmssp_ldap_style_send_seal deleted file mode 100644 index 0cd7cc2ea39..00000000000 --- a/selftest/knownfail.d/ntlmssp_ldap_style_send_seal +++ /dev/null @@ -1 +0,0 @@ -^samba4.ldb.simple.ldap.*ldap_style_send_seal=no -- 2.14.3