[samba/f13/master] Fix GSSAPI checksum for some SMB servers resolves: #667644

Guenther Deschner gd at fedoraproject.org
Thu Jan 6 11:10:32 UTC 2011 

commit 486648d06c9d6995ea0668a6667b91e5423773c8
Author: Günther Deschner <gd at fedoraproject.org>
Date:   Thu Jan 6 11:56:42 2011 +0100

    Fix GSSAPI checksum for some SMB servers
    resolves: #667644
    
    Guenther

 samba-3.5.6-gssapi.patch |  119 ++++++++++++++++++++++++++++++++++++++++++++++
 samba.spec               |    8 +++-
 2 files changed, 126 insertions(+), 1 deletions(-)
---
diff --git a/samba-3.5.6-gssapi.patch b/samba-3.5.6-gssapi.patch
new file mode 100644
index 0000000..cc807f9
--- /dev/null
+++ b/samba-3.5.6-gssapi.patch
@@ -0,0 +1,119 @@
+From 9f5c7da3ae47ac57087631e90f85f9a553af9018 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet at samba.org>
+Date: Sat, 11 Sep 2010 16:13:33 +1000
+Subject: [PATCH 1/2] s3-krb5 Fix Kerberos on FreeBSD with Samba4 DCs
+
+The idea of this patch is: Don't support a mix of different kerberos
+features.
+
+Either we should prepare a GSSAPI (8003) checksum and mark the request as
+such, or we should use the old behaviour (a normal kerberos checksum of 0 data).
+
+Sending the GSSAPI checksum data, but without marking it as GSSAPI broke
+Samba4, and seems well outside the expected behaviour, even if Windows accepts it.
+
+Andrew Bartlett
+(cherry picked from commit 3b4db34011f06fb785153fa9070fb1da9d8f5c78)
+
+Signed-off-by: Stefan Metzmacher <metze at samba.org>
+---
+ source3/libsmb/clikrb5.c |    4 +---
+ 1 files changed, 1 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
+index b0dec0a..ff93ddb 100644
+--- a/source3/libsmb/clikrb5.c
++++ b/source3/libsmb/clikrb5.c
+@@ -832,7 +832,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
+ 		goto cleanup_creds;
+ 	}
+ 
+-#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY)
++#if defined(TKT_FLG_OK_AS_DELEGATE ) && defined(HAVE_KRB5_FWD_TGT_CREDS) && defined(HAVE_KRB5_AUTH_CON_SETUSERUSERKEY) && defined(KRB5_AUTH_CONTEXT_USE_SUBKEY) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
+ 	if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) {
+ 		/* Fetch a forwarded TGT from the KDC so that we can hand off a 2nd ticket
+ 		 as part of the kerberos exchange. */
+@@ -894,7 +894,6 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
+ 			gss_flags |= GSS_C_DELEG_FLAG;
+ 		}
+ 	}
+-#endif
+ 
+ 	/* Frees and reallocates in_data into a GSS checksum blob. */
+ 	retval = create_gss_checksum(&in_data, gss_flags);
+@@ -902,7 +901,6 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context,
+ 		goto cleanup_data;
+ 	}
+ 
+-#if defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
+ 	/* We always want GSS-checksum types. */
+ 	retval = krb5_auth_con_set_req_cksumtype(context, *auth_context, GSSAPI_CHECKSUM );
+ 	if (retval) {
+-- 
+1.7.0.4
+
+
+From 48348c03417a5efeadf493cb6739e83354f345db Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Thu, 23 Dec 2010 08:17:48 +0100
+Subject: [PATCH 2/2] s3:libsmb: use 16 zero bytes as channel binding checksum in the gssapi checksum (bug #7883)
+
+This fixes SMB session setups with kerberos against some closed
+source SMB servers.
+
+The new behavior matches heimdal and mit.
+
+metze
+
+Autobuild-User: Stefan Metzmacher <metze at samba.org>
+Autobuild-Date: Thu Dec 23 09:38:43 CET 2010 on sn-devel-104
+(cherry picked from commit e9dddc55e324c62973e6a561477b532cf9ed79af)
+(cherry picked from commit 3356192af5d36fbe986c4728162d10fe883ba2fd)
+---
+ source3/libsmb/clikrb5.c |   30 ++++++++++--------------------
+ 1 files changed, 10 insertions(+), 20 deletions(-)
+
+diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
+index ff93ddb..7b5cd09 100644
+--- a/source3/libsmb/clikrb5.c
++++ b/source3/libsmb/clikrb5.c
+@@ -696,26 +696,16 @@ static krb5_error_code create_gss_checksum(krb5_data *in_data, /* [inout] */
+ 	memset(gss_cksum, '\0', base_cksum_size + orig_length);
+ 	SIVAL(gss_cksum, 0, GSSAPI_BNDLENGTH);
+ 
+-	/* Precalculated MD5sum of NULL channel bindings (20 bytes) */
+-	/* Channel bindings are: (all ints encoded as little endian)
+-
+-		[4 bytes] initiator_addrtype (255 for null bindings)
+-		[4 bytes] initiator_address length
+-			[n bytes] .. initiator_address data - not present
+-				     in null bindings.
+-		[4 bytes] acceptor_addrtype (255 for null bindings)
+-		[4 bytes] acceptor_address length
+-			[n bytes] .. acceptor_address data - not present
+-				     in null bindings.
+-		[4 bytes] application_data length
+-			[n bytes] .. application_ data - not present
+-				     in null bindings.
+-		MD5 of this is ""\x14\x8f\x0c\xf7\xb1u\xdey*J\x9a%\xdfV\xc5\x18"
+-	*/
+-
+-	memcpy(&gss_cksum[4],
+-		"\x14\x8f\x0c\xf7\xb1u\xdey*J\x9a%\xdfV\xc5\x18",
+-		GSSAPI_BNDLENGTH);
++	/*
++	 * GSS_C_NO_CHANNEL_BINDINGS means 16 zero bytes.
++	 * This matches the behavior of heimdal and mit.
++	 *
++	 * And it is needed to work against some closed source
++	 * SMB servers.
++	 *
++	 * See bug #7883
++	 */
++	memset(&gss_cksum[4], 0x00, GSSAPI_BNDLENGTH);
+ 
+ 	SIVAL(gss_cksum, 20, gss_flags);
+ 
+-- 
+1.7.0.4
+
diff --git a/samba.spec b/samba.spec
index feba998..a3ef035 100644
--- a/samba.spec
+++ b/samba.spec
@@ -1,4 +1,4 @@
-%define main_release 71
+%define main_release 72
 %define samba_version 3.5.6
 %define tdb_version 1.2.1
 %define talloc_version 2.0.1
@@ -45,6 +45,7 @@ Patch104: samba-3.0.0rc3-nmbd-netbiosname.patch
 Patch107: samba-3.2.0pre1-grouppwd.patch
 Patch200: samba-3.2.5-inotify.patch
 Patch201: samba-3.5.6-libsmbclient.patch
+Patch202: samba-3.5.6-gssapi.patch
 
 Requires(pre): samba-common = %{epoch}:%{samba_version}-%{release}
 Requires: pam >= 0:0.64
@@ -210,6 +211,7 @@ cp %{SOURCE11} packaging/Fedora/
 %patch107 -p1 -b .grouppwd
 %patch200 -p0 -b .inotify
 %patch201 -p1 -b .libsmbclient
+%patch202 -p1 -b .gssapi
 
 mv %samba_source/VERSION %samba_source/VERSION.orig
 sed -e 's/SAMBA_VERSION_VENDOR_SUFFIX=$/&\"%{samba_release}\"/' < %samba_source/VERSION.orig > %samba_source/VERSION
@@ -667,6 +669,10 @@ exit 0
 %{_datadir}/pixmaps/samba/logo-small.png
 
 %changelog
+* Thu Jan 06 2011 Guenther Deschner <gdeschner at redhat.com> - 3.5.6-72
+- Fix GSSAPI checksum for some SMB servers
+- resolves: #667644
+
 * Thu Nov 18 2010 Guenther Deschner <gdeschner at redhat.com> - 3.5.6-71
 - Fix libsmbclient SMB signing
 - resolves: #598620

More information about the scm-commits mailing list