git.ipfire.org Git - thirdparty/samba.git/log

CVE-2016-2110: auth/ntlmssp: call ntlmssp_sign_init if we provide GENSEC_FEATURE_SIGN

It's important to check if got the GENSEC_FEATURE_SIGN and if the caller
wanted it.

The caller may only asked for GENSEC_FEATURE_SESSION_KEY which implicitly
negotiates NTLMSSP_NEGOTIATE_SIGN, which might indicate GENSEC_FEATURE_SIGN
to the SPNEGO glue code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/gensec: add gensec_may_reset_crypto() infrastructure

[MS-SPNG] requires the NTLMSSP RC4 states to be reset after
the SPNEGO exchange with mechListMic verification (new_spnego).

This provides the infrastructure for this feature.

The 'reset_full' parameter is needed to support the broken
behavior that windows only resets the RC4 states but not the
sequence numbers. Which means this functionality is completely
useless... But we want to work against all windows versions...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/gensec: require spnego mechListMIC exchange for new_spnego backends

This used to work more or less before, but only for krb5 with the
server finishing first.

With NTLMSSP and new_spnego the client will finish first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/gensec: fix the client side of a spnego downgrade

New servers response with SPNEGO_REQUEST_MIC instead of
SPNEGO_ACCEPT_INCOMPLETE to a downgrade.

With just KRB5 and NTLMSSP this doesn't happen, but we
want to be prepared for the future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/gensec: fix the client side of a new_spnego exchange

Even for SMB where the server provides its mech list,
the client needs to remember its own mech list for the
mechListMIC calculation.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: libcli/auth: add SPNEGO_REQUEST_MIC to enum spnego_negResult

This is defined in http://www.ietf.org/rfc/rfc4178.txt.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: libcli/auth: use enum spnego_negResult instead of uint8_t

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: winbindd: add new_spnego to the WINBINDD_CCACHE_NTLMAUTH response

We don't need to change the protocol version because:

1. An old client may provide the "initial_blob"
   (which was and is still ignored when going
   via the wbcCredentialCache() function)
   and the new winbindd won't use new_spnego.

2. A new client will just get a zero byte
   from an old winbindd. As it uses talloc_zero() to
   create struct winbindd_response.

3. Changing the version number would introduce problems
   with backports to older Samba versions.

New clients which are capable of using the new_spnego field
will use "negotiate_blob" instead of "initial_blob".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require NTLM2 (EXTENDED_SESSIONSECURITY) when using ntlmv2

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: let gensec_ntlmssp_client_start require flags depending on the requested features

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: don't let ntlmssp_handle_neg_flags() change ntlmssp_state->use_ntlmv2

ntlmssp_handle_neg_flags() can only disable flags, but not
set them. All supported flags are set at start time.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: don't allow a downgrade from NTLMv2 to LM_AUTH

man smb.conf says "client ntlmv2 auth = yes" the default disables,
"client lanman auth = yes":

  ...
  Likewise, if the client ntlmv2 auth parameter is enabled, then only NTLMv2
  logins will be attempted.
  ...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: split allow_lm_response from allow_lm_key

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: maintain conf_flags and required_flags variables

We now give an error when required flags are missing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110: auth/ntlmssp: let ntlmssp_handle_neg_flags() return NTSTATUS

In future we can do a more fine granted negotiation
and assert specific security features.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

CVE-2016-2110(<=4.2): s4:winbind: implement the WBFLAG_BIG_NTLMV2_BLOB flag

NTLMv2 blobs can become large...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

s3:ntlm_auth: pass manage_squid_request() needs a valid struct ntlm_auth_state from within get_password()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Mar 22 19:20:38 CET 2016 on sn-devel-144

(cherry picked from commit ef1ad0e122659b5ff9097f0f7046f10fc2f3ec30)

s3:rpc_server/samr: correctly handle session_extract_session_key() failures

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0906d61bb2f3446483d82928b55f5b797bac4804)

s4:selftest: run rpc.netlogon.admin also over ncalrpc and ncacn_ip_tcp

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Mar 18 12:39:51 CET 2016 on sn-devel-144

(cherry picked from commit e8e2386bf6bd05c60a0f897587a9a676c86dee76)

libads: Fix CID 1356316 Uninitialized pointer read

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit dcaa88158e6f0a9964ad051b4062d82e9f279b8c)

libsmb: Fix CID 1356312 Explicit null dereferenced

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit f50c3fb1c58700522f1b742539dab9bd9ae7fd39)

s3-auth: check for return code of cli_credentials_set_machine_account().

Guenther

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 17 20:43:19 CET 2016 on sn-devel-144

(cherry picked from commit c06058a99be4cf3ad3431dc263d4595ffc226fcf)

s4-smb_server: check for return code of cli_credentials_set_machine_account().

We keep anonymous server_credentials structure in order to let
the rpc.spoolss.notify start it's test server.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit fe93a09889a854d7c93f9b349d5794bdbb9403ba)

s4:rpc_server: require access to the machine account credentials

Even a standalone server should be selfjoined.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 31f07d05629bc05ef99edc86ad2a3e95ec8599f1)

auth/gensec: split out a gensec_verify_dcerpc_auth_level() function

We only need this logic once.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 57946ac7c19c4e9bd8893c3acb9daf7c4bd02159)

auth/gensec: make sure gensec_security_by_auth_type() returns NULL for AUTH_TYPE_NONE

ops->auth_type == 0, means the backend doesn't support DCERPC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit cc3dea5a8104eef2cfd1f8c05e25da186c334320)

s4:torture/rpc/schannel: don't use validation level 6 without privacy

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 733ccd13209c20f8e76ae7b47e1741791c1cd6ba)

s4:torture/rpc: correctly use torture_skip() for test_ManyGetDCName() without NCACN_NP

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 50581689d924032de1765ec884dbd160652888be)

s4:torture/rpc/samlogon: use DCERPC_SEAL for netr_LogonSamLogonEx and validation level 6

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 050a1d0653716fd7c166d35a7236a014bf1d1516)

s4:torture/rpc/samr: use DCERPC_SEAL in setup_schannel_netlogon_pipe()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 26e5ef68188d2e44d42f75ed6aabf2557c9ce5ce)

s4:torture/netlogon: add/use test_SetupCredentialsPipe() helper function

This create a schannel connection to netlogon, this makes the tests
more realistic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit 1a7d8b8602a687ff6eef45f15f597694e94e14b1)

s3:test_rpcclient_samlogon.sh: test samlogon with schannel

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit f9a1915238dc7a573c58dd8c7bac3637689af265)

s3:selftest: rpc.samr.passwords.validate should run with [seal] in order to be realistic

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit 2c36501640207604a5c66fb582c2d5981619147e)

selftest: setup information of new samba.example.com CA in the client environment

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit b00c38afc6203f1e1f566db31a63cedba632dfab)

selftest: set tls crlfile if it exist

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit b2c0f71db026353060ad47fd0a85241a3df8c703)

selftest: use Samba::prepare_keyblobs() and use the certs from the new CA

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit c321a59f267d1a997eff6f864a79437ef759adeb)

selftest: add Samba::prepare_keyblobs() helper function

This copies the certificates from the samba.example.com CA if they
exist.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit a6447fd6d010b525d235b894d5be62c807922cb5)

selftest: mark commands in manage-CA-samba.example.com.sh as DONE

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit 2a96885ac706ae3e7c6fd7aaff0215f3f171bc27)

selftest: add CA-samba.example.com (non-binary) files

The binary files will follow in the next, this allows the next
commit to be skipped as the binary files are not used by samba yet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit 520c85a15fa1f4718e2e793303327abea22db149)

selftest: add config and script to create a samba.example.com CA

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit bdc1f036a8a66256afe8dc88f8a9dc47655640bd)

selftest: add some helper scripts to mange a CA

This is partly based on the SmartCard HowTo from:
https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit b0bdbeeef44259782c9941b5cfff7d4925e1f2f2)

selftest: s!plugindc.samba.example.com!plugindom.samba.example.com!

It's confusing to have plugindc.samba.example.com as domain name
and plugindc.plugindc.samba.example.com as hostname.

We now have plugindom.samba.example.com as domain name
and plugindc.plugindom.samba.example.com as hostname.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit c561a42ff68bc4561147839e3a65951924f6af21)

s4:rpc_server: dcesrv_generic_session_key should only work on local transports

This matches modern Windows servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar 10 10:15:21 CET 2016 on sn-devel-144

(cherry picked from commit 645e777b0aca7d997867e0b3f0b48bfb138cc25c)

s4:rpc_server/samr: hide a possible NO_USER_SESSION_KEY error

Windows servers doesn't return the raw NT_STATUS_NO_USER_SESSION_KEY
error, but return WRONG_PASSWORD or even hide the error by using a random
session key, that results in an invalid, unknown, random NTHASH.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 58b33896b65c5b51486eaf01f5f935ace2369fd0)

s4:librpc/rpc: dcerpc_generic_session_key() should only be available on local transports

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit 5a397216d40ff18fd1c0980cd9b7b7c0a970bbbb)

s4:torture:samba3rpc: use an authenticated SMB connection and an anonymous DCERPC connection on top

This is the only way to get a reliable transport session key.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit af8c4ebf9be314ddd13ef9ca17a0237927dd2ede)

s4:selftest: run rpc.samr over ncacn_np instead of ncacn_ip_tcp

It requires a transport session key, which is only reliable available
over SMB.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f699eb3b1a0660ace3ca99d3f3b5d79ed5537c80)

s4:torture: the backupkey tests need to use ncacn_np: for LSA calls

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit c793b23ddb7c048110bc4718574e5b99d5bbcfae)

s4:torture/rpc: do testjoin only via ncalrpc or ncacn_np

ncacn_ip_tcp doesn't have the required session key.
It used to be the wellknown "SystemLibraryDTC" constant,
but that's not available in modern systems anymore.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0400f301e3bcf495748cff009755426a040596fa)

s3:libsmb: remove unused functions in clispnego.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit 14335018229801dd6d2b18f8d19ab5b45b8394fc)

s3:libsmb: remove unused cli_session_setup_kerberos*() functions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit 95b953950d1fd454121ff23a43a8b13a34385ef1)

s3:libsmb: make use of cli_session_setup_gensec*() for Kerberos

This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0e1b2ebf884c6f2033b3b9aa7b6f72af54a716b2)

s3:libsmb: call cli_state_remote_realm() within cli_session_setup_spnego_send()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 907e2b1f665cdafc863f4702ede5dcf16e6cc269)

s3:libsmb: provide generic cli_session_setup_gensec_send/recv() pair

It will be possible to use this for more than just NTLMSSP in future.

This prepares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 285c342f01a6e9a892f03360f8d2d0097e7a41cb)

s3:libsmb: let cli_session_setup_ntlmssp*() use gensec_update_send/recv()

This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 576257f6e1488a623306dc368c806e218b1fcdf2)

s3:libsmb: unused ntlmssp.c

Everything uses the top level ntlmssp code via gensec now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit afffe797547a97ec839913e1ca89045989bbea49)

s3:libsmb: make use gensec based SPNEGO/NTLMSSP

This pares a fix for https://bugzilla.samba.org/show_bug.cgi?id=10288

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4f6fe27c7020822dd1ce88b7dd63725d6082b190)

s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2cb07ba50decdfd6d08271cd2b3d893ff95f5af9)

s3:libads: keep service and hostname separately in ads_service_principal

Caller will use them instead of the full principal in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c5d7956364047925dee5d6f71a5b92a38c73e5a6)

s3:libads: don't pass given_principal to ads_generate_service_principal() anymore.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0c204e11925982d8bd835830985479792b8cc820)

s3:libads: provide a generic ads_sasl_spnego_gensec_bind() function

It will be possible to use this for more than just NTLMSSP in future.

Similar to https://bugzilla.samba.org/show_bug.cgi?id=10288

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 139ce7d8b687cc54560ce353ea6f86a4d2d2ae04)

s3:libads: make use of GENSEC_OID_SPNEGO in ads_sasl_spnego_ntlmssp_bind()

This avoids using the hand made spnego code, that
doesn't support the GENSEC_FEATURE_NEW_SPNEGO protection.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit c6f79cfa86e23217a510c6fe205da0c18ef2a9b2)

s3:libads: make use of GENSEC_FEATURE_LDAP_STYLE

This is more generic and will handle the
ntlmssp_[un]wrap() behaviour at the right level.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 357d37fa11b7d944e9f5fe2e0cc6730d498bc2dc)

s3:libads: add missing TALLOC_FREE(frame) in error path

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8f9a9633e4f55f85a3f68bf2e8c78414f31511ea)

s4:ldap_server: make use of GENSEC_FEATURE_LDAP_STYLE

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 0ebe929810e922e7cf7742a1f3e4ad222006377f)

s4:selftest: simplify the loops over samba4.ldb.ldap

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit c431543fb989938898e33e1ffdb80cb97e4a3bb2)

s4:selftest: we don't need to run ldap test with --option=socket:testnonblock=true

The LDAP client library uses tstream and that handles non blocking
sockets natively.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(similar to commit 5cf8546674a4f49618bdade1567fac00d72db454)

s4:libcli/ldap: fix retry authentication after a bad password

We need to start with an empty input buffer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit d9d0d2d5a2667ea8984772b678272650a8719c21)

s4:libcli/ldap: make use of GENSEC_FEATURE_LDAP_STYLE

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit d04663b8b075a69141fe2f45d0906b528d99ab85)

auth/ntlmssp: remove ntlmssp_unwrap() fallback for LDAP

This is now handled by GENSEC_FEATURE_LDAP_STYLE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 59301830e27bf537d04808d2ac37d6cf9ef56713)

auth/ntlmssp: add more compat for GENSEC_FEATURE_LDAP_STYLE

We want also work against old Samba servers which didn't had
GENSEC_FEATURE_LDAP_STYLE we negotiate SEAL too. We may remove this in a few
years. As all servers should support GENSEC_FEATURE_LDAP_STYLE by then.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 122a5f6b58e6cead061a7ee64033ccc1940742ed)

auth/ntlmssp: implement GENSEC_FEATURE_LDAP_STYLE

We need to handle NTLMSSP_NEGOTIATE_SIGN as
NTLMSSP_NEGOTIATE_SEAL if GENSEC_FEATURE_LDAP_STYLE
is requested.

This works arround a bug in Windows, which allow signed only
messages using NTLMSSP and LDAP.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit f3dbe19e14eaf7a462f14485c6a9138a7348db2e)

auth/gensec: add GENSEC_FEATURE_LDAP_STYLE define

This will be used for LDAP connections and may trigger
backend specific behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 069aee42c2f12ed5feb23c19dc0a4771d913619a)

auth/ntlmssp: use ndr_push_AV_PAIR_LIST in gensec_ntlmssp_server_negotiate().

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Günther Deschner <gd@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f6b9e1feab8d435b1e44fef81e867c01ed01db95)

librpc/ndr: add ndr_ntlmssp_find_av() helper function

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit c1e2a1f0a75605a8792b615a41392fc018198a10)

ntlmssp.idl: make AV_PAIR_LIST public

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit f4ff3510164748977de056bb8cdbbd22e5fedb3c)

ntlmssp.idl: MsAvRestrictions is MsvAvSingleHost now

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit ab54e0fd7040e7717fe979b54fb4dfa16813524f)

security.idl: add LSAP_TOKEN_INFO_INTEGRITY

This is used in [MS-KILE] and implicit in [MS-NLMP].

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 1f88812316144b06b11eb3dc90a6081cb57783da)

auth/ntlmssp: use ntlmssp_version_blob() in the server

We already set NTLMSSP_NEGOTIATE_VERSION in
gensec_ntlmssp_server_start(), so it's always
set in chal_flags.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 8af6b8d2eb6b873620131b4b5b570ec24985d86a)

auth/ntlmssp: let the client always include NTLMSSP_NEGOTIATE_VERSION

This matches a modern Windows client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 4a1809cb14dcb03e9ba386af5b90650400377875)

auth/ntlmssp: add ntlmssp_version_blob()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit a61ab398ccc1036edce677e00569fd7f58b70995)

auth/ntlmssp: don't send domain and workstation in the NEGOTIATE_MESSAGE

We don't set NTLMSSP_NEGOTIATE_OEM_{DOMAIN,WORKSTATION}_SUPPLIED anyway.

This matches modern Windows clients.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 4fca8eaaae23955e704dc9c45d373fe78bf88201)

auth/ntlmssp: set NTLMSSP_ANONYMOUS for anonymous authentication

This matches a modern Windows client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit efd4986794889f1315dbd011b94b8673d785053a)

auth/ntlmssp: define all client neg_flags in gensec_ntlmssp_client_start()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit afba38dbf5c954abbcfc485a81f510255b69a426)

auth/ntlmssp: NTLMSSP_NEGOTIATE_VERSION is not a negotiated option

NTLMSSP_NEGOTIATE_VERSION only indicates the existence of the version
information in the packet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 30d626024c7e8f275d64f835632717b0130be4b2)

auth/ntlmssp: split out a debug_ntlmssp_flags_raw() that's more complete

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit e63442a1c27c475e373048893d9cf04859dd1792)

s3:ntlm_auth: also use gensec for "ntlmssp-client-1" and "gss-spnego-client"

This implicitly fixes bug #10708.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10708

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 279d58c1e68c9466a76e4a67d2cfea22e8719d31)

winbindd: make use of ntlmssp_resume_ccache backend for WINBINDD_CCACHE_NTLMAUTH

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 716e78f3b294210130f3cf253f496391534819b0)

s3:auth_generic: add "ntlmssp_resume_ccache" backend in auth_generic_client_prepare()

This will be used by winbindd in order to correctly implement WINBINDD_CCACHE_NTLMAUTH.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 8bcde9ec625547df42915e9138d696deeabdb62d)

auth/ntlmssp: implement GENSEC_FEATURE_NTLM_CCACHE

This can used in order to use the WINBINDD_CCACHE_NTLMAUTH
code of winbindd to do NTLMSSP authentication with a cached
password.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit b133f66e0da5ed05bbe81098e52c744bac4b48ac)

auth/gensec: add GENSEC_FEATURE_NTLM_CCACHE define

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 0a93cad337578a7ba61f12726c9a15ecf869db7b)

auth/ntlmssp: provide a "ntlmssp_resume_ccache" backend

These can be used to implement the winbindd side of
the WINBINDD_CCACHE_NTLMAUTH call.

It can properly get the initial NEGOTIATE messages
injected if available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit b3d4523ff7810279dc4d3201a09a868545d4d253)

s3:ntlmssp: remove unused libsmb/ntlmssp_wrap.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 52c03c07151a12e84fb4d34443864e59583c0db9)

s3:auth_generic: make use of the top level NTLMSSP client code

There's no reason to use gensec_ntlmssp3_client_ops, the
WINBINDD_CCACHE_NTLMAUTH isn't available via gensec anyway.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 0d66e2d34f656028eb3adb35acb653a45c041890)

winbindd: pass an memory context to do_ntlm_auth_with_stored_pw()

We should avoid using NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 871e8a9fd029bbcbccb79bd17f9c6a2617b8be55)

s3:tests/test_ntlm_auth_s3: test ntlmssp-client-1 with cached credentials

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 9bd1ecffffd070333a22ef2449a179cee3effe5d)

selftest/knownfail: s4-winbind doesn't support cached ntlm credentials

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

s3:torture/test_ntlm_auth.py: add --client-use-cached-creds option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 1289130ad2aeded63990bf1bde6f169505c62280)

s3:torture/test_ntlm_auth.py: replace tabs with whitespaces

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit cf2ea04135774853d1cebca82c60bed890135163)

s3:ntlm_auth: fix --use-cached-creds with ntlmssp-client-1

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11776

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 69a7ec794213e8adec5dcbd9ca45172df13292c1)