]> git.ipfire.org Git - ipfire-2.x.git/blobdiff - src/patches/samba/samba-3.6.99-fix_smbclient_ntlmv2_auth.patch
projects / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
samba: add current RHEL6 patches
[ipfire-2.x.git] / src / patches / samba / samba-3.6.99-fix_smbclient_ntlmv2_auth.patch
diff --git a/src/patches/samba/samba-3.6.99-fix_smbclient_ntlmv2_auth.patch b/src/patches/samba/samba-3.6.99-fix_smbclient_ntlmv2_auth.patch
new file mode 100644 (file)
index 0000000..4f136e5
--- /dev/null
+++ b/src/patches/samba/samba-3.6.99-fix_smbclient_ntlmv2_auth.patch
@@ -0,0 +1,116 @@
+From b413a09fa5b927102655a8332e95a64a80e57825 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 21 Jul 2011 21:15:38 +0200
+Subject: [PATCH 1/2] PATCHSET19: s3:libsmb: don't pass cli->called.name to
+ NTLMv2_generate_names_blob()
+
+cli->called.name is never initialized, so this change doesn't change
+the behavior. And this behavior seems to be correct, see
+commit 29c0c37691da10bf061ba90a5b31482bda2fa486
+s4/libcli: do not use netbios name in NTLMv2 blobs w/o spnego.
+
+metze
+
+(cherry picked from commit 392ddf970c8f8486e79eec5214ed49912e344e09)
+---
+ source3/libsmb/cliconnect.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index 8653ba7..38ae230 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -862,11 +862,11 @@ static struct tevent_req *cli_session_setup_nt1_send(
+                       /*
+                        * note that the 'workgroup' here is a best
+                        * guess - we don't know the server's domain
+-                       * at this point.  The 'server name' is also
+-                       * dodgy...
++                       * at this point. Windows clients also don't
++                       * use hostname...
+                        */
+                       names_blob = NTLMv2_generate_names_blob(
+-                              NULL, cli->called.name, workgroup);
++                              NULL, NULL, workgroup);
+                       if (tevent_req_nomem(names_blob.data, req)) {
+                               return tevent_req_post(req, ev);
+-- 
+2.1.0
+
+
+From 1415733b6cfeba129e1459ef55a0a12a5dec0fa3 Mon Sep 17 00:00:00 2001
+From: Christian Ambach <christian.ambach@de.ibm.com>
+Date: Thu, 7 Apr 2011 14:05:04 +0200
+Subject: [PATCH 2/2] PATCHSET19: s4/libcli: do not use netbios name in NTLMv2
+ blobs w/o spnego
+
+I have seen domain controllers rejecting NTLMv2 blobs presented to
+NetrLogonSamLogonEx with LOGON_FAILURE when the MsvAvNbComputerName
+was a FQDN or an IP address
+
+I have not seen this field in NTLMv2 blobs send by Windows clients
+when extended security was not available, so omitting the field
+makes Samba similar to Windows.
+
+This prevents errors with some smbtorture testcases that disable
+spnego and when a target name is specified that is not a valid
+netbios name.
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+
+Autobuild-User: Andrew Bartlett <abartlet@samba.org>
+Autobuild-Date: Thu Apr 14 02:19:08 CEST 2011 on sn-devel-104
+(cherry picked from commit 29c0c37691da10bf061ba90a5b31482bda2fa486)
+---
+ source4/libcli/smb_composite/sesssetup.c | 26 ++++++++++++++++++++++----
+ 1 file changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c
+index e1159a4..ebc3598 100644
+--- a/source4/libcli/smb_composite/sesssetup.c
++++ b/source4/libcli/smb_composite/sesssetup.c
+@@ -280,8 +280,17 @@ static NTSTATUS session_setup_nt1(struct composite_context *c,
+                                 struct smbcli_request **req) 
+ {
+       NTSTATUS nt_status = NT_STATUS_INTERNAL_ERROR;
+-      struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
+-      DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, session->transport->socket->hostname, cli_credentials_get_domain(io->in.credentials));
++      struct sesssetup_state *state = talloc_get_type(c->private_data,
++                                                      struct sesssetup_state);
++      const char *domain = cli_credentials_get_domain(io->in.credentials);
++
++      /*
++       * domain controllers tend to reject the NTLM v2 blob
++       * if the netbiosname is not valid (e.g. IP address or FQDN)
++       * so just leave it away (as Windows client do)
++       */
++      DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, NULL, domain);
++
+       DATA_BLOB session_key = data_blob(NULL, 0);
+       int flags = CLI_CRED_NTLM_AUTH;
+@@ -353,9 +362,18 @@ static NTSTATUS session_setup_old(struct composite_context *c,
+                                 struct smbcli_request **req) 
+ {
+       NTSTATUS nt_status;
+-      struct sesssetup_state *state = talloc_get_type(c->private_data, struct sesssetup_state);
++      struct sesssetup_state *state = talloc_get_type(c->private_data,
++                                                      struct sesssetup_state);
+       const char *password = cli_credentials_get_password(io->in.credentials);
+-      DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, session->transport->socket->hostname, cli_credentials_get_domain(io->in.credentials));
++      const char *domain = cli_credentials_get_domain(io->in.credentials);
++
++      /*
++       * domain controllers tend to reject the NTLM v2 blob
++       * if the netbiosname is not valid (e.g. IP address or FQDN)
++       * so just leave it away (as Windows client do)
++       */
++      DATA_BLOB names_blob = NTLMv2_generate_names_blob(state, NULL, domain);
++
+       DATA_BLOB session_key;
+       int flags = 0;
+       if (session->options.lanman_auth) {
+-- 
+2.1.0
+
IPFire 2.x development tree