ntlmssp errors against El Capitan's SMB Server

Post by Christian Ambach
Hi list,
I was trying to use smbclient against the SMB server included in MacOS X
El Capitan, but it fails to authenticate with

NTLMSSP packet check failed due to short signature (0 bytes)!
NTLMSSP NTLM2 packet check failed due to invalid signature!

I am not a NTLMSSP expert, but looking at the attached capture it seems
that Apple's SMB server does not provide a signature when asked to do so
with the NTLMSSP_NEGOTIATE_SIGN flag.
I suspect that this is another side-effect of the badlock hardenings?
Is there a config variable available to work around this?
Can we detect that the server does not support the flag and not use it?

Trouble is the server is saying it *does* support the NTLMSSP_NEGOTIATE_SIGN
flag in the reply.

Can you get a Windows 8 or above client capture trace connecting to
this same server to see "what windows does (tm)".

Jeremy

Christian Ambach

2016-08-28 14:37:43 UTC

Post by Jeremy Allison
Trouble is the server is saying it *does* support the NTLMSSP_NEGOTIATE_SIGN
flag in the reply.
Can you get a Windows 8 or above client capture trace connecting to
this same server to see "what windows does (tm)".

Windows 7 and Windows 10 happily finish connecting, see attach pcap.
I have run git bisect and it pointed me to commit 0d641ee36ae2c.
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC
generation (as client)

So the rules were tightened because of Badlock. Maybe too tight?

I have also found an Ubuntu bug about the same:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1579540

Setting ntlmssp_client:force_old_spnego = yes to helps,
but this will then affect all client connections.

Which spec applies here to indicate that the server must supply a signature?

Cheers,
Christian

Jeremy Allison

2016-08-29 22:45:53 UTC

Windows 7 and Windows 10 happily finish connecting, see attach pcap.
I have run git bisect and it pointed me to commit 0d641ee36ae2c.
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC
generation (as client)
So the rules were tightened because of Badlock. Maybe too tight?
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1579540
Setting ntlmssp_client:force_old_spnego = yes to helps,
but this will then affect all client connections.
Which spec applies here to indicate that the server must supply a signature?

It's the NTLMSSP one I think.

[MS-NLMP].pdf. Check out "3.4.4.2 With Extended Session Security".

When Extended Session Security (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) is
negotiated and session security (NTLMSSP_NEGOTIATE_SIGN or NTLMSSP_NEGOTIATE_SEAL) is
negotiated, the message signature for NTLM with extended session security is a 16-byte value that
contains the following components, as described by the NTLMSSP_MESSAGE_SIGNATURE structure:
....

Our code says:

if (have_sign && new_spnego) {
spnego_state->needs_mic_check = true;
spnego_state->needs_mic_sign = true;
}

and the server is requesting negotiate signing, so we are
insisting on the mic check (as we should).

I think the Windows client is buggy here by not checking the
signature returned by the server - the question is should we match
that ?

Or have an option to match that ?

Simo

2016-08-30 17:35:07 UTC

Post by Jeremy Allison
Trouble is the server is saying it *does* support the
NTLMSSP_NEGOTIATE_SIGN
flag in the reply.
Can you get a Windows 8 or above client capture trace connecting to
this same server to see "what windows does (tm)".

Windows 7 and Windows 10 happily finish connecting, see attach pcap.
I have run git bisect and it pointed me to commit 0d641ee36ae2c.
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC
generation (as client)
So the rules were tightened because of Badlock. Maybe too tight?
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1579540
Setting ntlmssp_client:force_old_spnego = yes to helps,
but this will then affect all client connections.
Which spec applies here to indicate that the server must supply a signature?

The pcap file from the previous email shows there is a signature, what
am I missing here ?

Simo.

Jeremy Allison

2016-08-30 17:52:00 UTC

Post by Simo

Post by Jeremy Allison
Trouble is the server is saying it *does* support the
NTLMSSP_NEGOTIATE_SIGN
flag in the reply.
Can you get a Windows 8 or above client capture trace connecting to
this same server to see "what windows does (tm)".

Windows 7 and Windows 10 happily finish connecting, see attach pcap.
I have run git bisect and it pointed me to commit 0d641ee36ae2c.
CVE-2016-2110: auth/ntlmssp: implement new_spnego support including MIC
generation (as client)
So the rules were tightened because of Badlock. Maybe too tight?
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1579540
Setting ntlmssp_client:force_old_spnego = yes to helps,
but this will then affect all client connections.
Which spec applies here to indicate that the server must supply a signature?

The pcap file from the previous email shows there is a signature, what
am I missing here ?

It's the final reply from server to client that is missing the sig.

We as the client are dropping the connection as we don't then trust
the server.

Simo

2016-08-30 19:54:33 UTC

Post by Simo

Post by Jeremy Allison
Trouble is the server is saying it *does* support the
NTLMSSP_NEGOTIATE_SIGN
flag in the reply.
Can you get a Windows 8 or above client capture trace
connecting to
this same server to see "what windows does (tm)".

Windows 7 and Windows 10 happily finish connecting, see attach pcap.
I have run git bisect and it pointed me to commit 0d641ee36ae2c.
CVE-2016-2110: auth/ntlmssp: implement new_spnego support
including
MIC
generation (as client)
So the rules were tightened because of Badlock. Maybe too tight?
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1579540
Setting ntlmssp_client:force_old_spnego = yes to helps,
but this will then affect all client connections.
Which spec applies here to indicate that the server must supply a signature?

The pcap file from the previous email shows there is a signature, what
am I missing here ?

It's the final reply from server to client that is missing the sig.
We as the client are dropping the connection as we don't then trust
the server.

This is not how spnego is supposed to work, once a mechListMIC is
returned by one of the parties and it checks out then you do not add
another one on the way back.

Whether the client or the server send a mechListMIC depends on the
mechanism selected and how many round trips it implies.

Going by memory but IIRC:
If kerberos is used usually it's the server that send the mechlistMIC
as the last leg is done at the server. In case of NTLM the client needs
to send back one more token so it is the client that generates the
mechlistMIC.

I may be wrong on some minor detail or the directions :-)

Simo.

Jeremy Allison

2016-08-30 20:13:57 UTC

Post by Simo
This is not how spnego is supposed to work, once a mechListMIC is
returned by one of the parties and it checks out then you do not add
another one on the way back.
Whether the client or the server send a mechListMIC depends on the
mechanism selected and how many round trips it implies.
If kerberos is used usually it's the server that send the mechlistMIC
as the last leg is done at the server. In case of NTLM the client needs
to send back one more token so it is the client that generates the
mechlistMIC.
I may be wrong on some minor detail or the directions :-)

https://www.rfc-editor.org/rfc/rfc4178.txt

does imply that mechListMIC's are exchanged.

However:

5. Processing of mechListMIC

makes my brain hurt :-). Especially:

"Acceptors that wish to be
compatible with legacy Windows SPNEGO implementations, as
described in Appendix C, should not generate a mechlistMIC token
when the MIC token exchange is not required."

Jeremy Allison

2016-08-30 20:22:55 UTC

https://www.rfc-editor.org/rfc/rfc4178.txt
does imply that mechListMIC's are exchanged.

Yeah, doesn't this part:

" In cases where an attacker could have materially influenced the
negotiation, peers exchange message integrity code (MIC) tokens to
confirm that the mechanism list has not been modified. "

mean that both sides must exchange a mechlistMIC ?

However, in the .pcap between smbclient and the Apple
server there's only one mechType, which the server selects,
so I'm guessing that in this case no attacker "could have materially influenced the
negotiation" so the mechlistMIC becomes optional...

Simo

2016-08-30 20:40:54 UTC

Post by Simo
This is not how spnego is supposed to work, once a mechListMIC is
returned by one of the parties and it checks out then you do not add
another one on the way back.
Whether the client or the server send a mechListMIC depends on the
mechanism selected and how many round trips it implies.
If kerberos is used usually it's the server that send the
mechlistMIC
as the last leg is done at the server. In case of NTLM the client needs
to send back one more token so it is the client that generates heN
mechlistMIC.
I may be wrong on some minor detail or the directions :-)

https://www.rfc-editor.org/rfc/rfc4178.txt
does imply that mechListMIC's are exchanged.
5.  Processing of mechListMIC
"Acceptors that wish to be
      compatible with legacy Windows SPNEGO implementations, as
      described in Appendix C, should not generate a mechlistMIC
token
      when the MIC token exchange is not required."

This is in 4178 5.b, this is not the case you are looking for, as in
the NTLM case you exchange an odd number of tokens (Negotiate,
Challenge, Auth), while in the kerberos case you exchange an even
number of tokens (initiate token and accept token)

So you need to look at 4178 5.c
in there you have things like:
if the
      negState was request-mic in the first reply from the target, a
      mechlistMIC token MUST be included; otherwise, the mechlistMIC
token is OPTIONAL.

(in this pcacp the state was accept-incomplete)

Also:
In the case that the optimistic mechanism token is the only
      mechanism token for the initiator's preferred mechanism, the
      mechlistMIC token is OPTIONAL.

(in this pcap NTLM was attempted optimistically and the initiator did
not provide any other mechanism.

All this would still require the mechlistMIC to be produced from the
server because the client did in fact send a mechlistMIC token except
that in Appendix C we have:

SPNEGO implementations in Microsoft Windows 2000/Windows XP/Windows
   Server 2003 have the following behavior: no mechlistMIC is produced
   and mechlistMIC is not processed if one is provided; if the initiator
   sends the last mechanism token, the acceptor will send back a
   negotiation token with an accept_complete state and no mechlistMIC
   token.

I think this is the behavior we are seeing.

Simo.

Jeremy Allison

2016-08-30 22:19:49 UTC

Post by Simo
This is in 4178 5.b, this is not the case you are looking for, as in
the NTLM case you exchange an odd number of tokens (Negotiate,
Challenge, Auth), while in the kerberos case you exchange an even
number of tokens (initiate token and accept token)
So you need to look at 4178 5.c
if the
      negState was request-mic in the first reply from the target, a
      mechlistMIC token MUST be included; otherwise, the mechlistMIC
token is OPTIONAL.
(in this pcacp the state was accept-incomplete)
In the case that the optimistic mechanism token is the only
      mechanism token for the initiator's preferred mechanism, the
      mechlistMIC token is OPTIONAL.
(in this pcap NTLM was attempted optimistically and the initiator did
not provide any other mechanism.
All this would still require the mechlistMIC to be produced from the
server because the client did in fact send a mechlistMIC token except
SPNEGO implementations in Microsoft Windows 2000/Windows XP/Windows
   Server 2003 have the following behavior: no mechlistMIC is produced
   and mechlistMIC is not processed if one is provided; if the initiator
   sends the last mechanism token, the acceptor will send back a
   negotiation token with an accept_complete state and no mechlistMIC
   token.
I think this is the behavior we are seeing.

Ah, this is staring to make sense. In MS-NLMP we have:

If the CHALLENGE_MESSAGE TargetInfo field (section 2.2.1.2) has an MsvAvTimestamp present,
the client SHOULD provide a MIC<51>:

So I'm guessing that in the latest version of the Apple
server they added support for the MsvAvTimestamp in their
NTLM implementation, but didn't add support for MIC processing
in SPNEGO.

So they act like a modern post-Windows 2003 server in terms
of the MsvAvTimestamp, which causes us to turn on our
MIC code, but then don't reply containing a mechlistMIC,
like a a pre-Windows 2008 server.

We work against a Windows 2003 server as it never sends
the MsvAvTimestamp I'd guess, so in that case we don't
send or expect any mechlistMIC.

In fact commit 0d641ee36ae2c shows exactly how this
happened:

+ if (timestamp != NULL) {
+ uint32_t sign_features =
+ GENSEC_FEATURE_SESSION_KEY |
+ GENSEC_FEATURE_SIGN |
+ GENSEC_FEATURE_SEAL;
+
+ server_timestamp = &timestamp->Value.AvTimestamp;
+
+ if (ntlmssp_state->force_old_spnego) {
+ sign_features = 0;
+ }
+
+ if (gensec_security->want_features & sign_features) {
+ struct AV_PAIR *av_flags = NULL;
+
+ av_flags = ndr_ntlmssp_find_av(&ntlmssp_state->client.av_pair_list,
+ MsvAvFlags);
+ if (av_flags == NULL) {
+ av_flags = eol;
+ eol++;
+ count++;
+ *eol = *av_flags;
+ av_flags->AvId = MsvAvFlags;
+ av_flags->Value.AvFlags = 0;
+ }
+
+ av_flags->Value.AvFlags |= NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE;
+ ntlmssp_state->new_spnego = true;
+ }
+ }

note the 'ntlmssp_state->new_spnego = true' when timestamp != NULL.

And it looks like the Windows client doesn't check the
mechlistMIC in this case, so we might need to losen our
check also.

This would also fix the smbclient connecting to the Microsoft
Azure server problem - that server also only does NTLM and
doesn't send the mechlistMIC in the ACCEPT_COMPLETED reply.

Attached is a possible patch, but I'm *really* unsure
if this is safe w.r.t. downgrade attacks.

Metze, can you take a look at this and let me know what you
think ?

Jeremy.

Simo

2016-08-31 02:19:11 UTC

Post by Simo
This is in 4178 5.b, this is not the case you are looking for, as in
the NTLM case you exchange an odd number of tokens (Negotiate,
Challenge, Auth), while in the kerberos case you exchange an even
number of tokens (initiate token and accept token)
So you need to look at 4178 5.c
if the
      negState was request-mic in the first reply from the target, a
      mechlistMIC token MUST be included; otherwise, the mechlistMIC
token is OPTIONAL.
(in this pcacp the state was accept-incomplete)
In the case that the optimistic mechanism token is the only
      mechanism token for the initiator's preferred mechanism, the
      mechlistMIC token is OPTIONAL.
(in this pcap NTLM was attempted optimistically and the initiator did
not provide any other mechanism.
All this would still require the mechlistMIC to be produced from the
server because the client did in fact send a mechlistMIC token except
SPNEGO implementations in Microsoft Windows
2000/Windows XP/Windows
   Server 2003 have the following behavior: no mechlistMIC is produced
   and mechlistMIC is not processed if one is provided; if the initiator
   sends the last mechanism token, the acceptor will send back a
   negotiation token with an accept_complete state and no
mechlistMIC
   token.
I think this is the behavior we are seeing.

If the CHALLENGE_MESSAGE TargetInfo field (section 2.2.1.2) has an MsvAvTimestamp present,
So I'm guessing that in the latest version of the Apple
server they added support for the MsvAvTimestamp in their
NTLM implementation, but didn't add support for MIC processing
in SPNEGO.
So they act like a modern post-Windows 2003 server in terms
of the MsvAvTimestamp, which causes us to turn on our
MIC code, but then don't reply containing a mechlistMIC,
like a a pre-Windows 2008 server.
We work against a Windows 2003 server as it never sends
the MsvAvTimestamp I'd guess, so in that case we don't
send or expect any mechlistMIC.
In fact commit 0d641ee36ae2c shows exactly how this
+               if (timestamp != NULL) {
+                       uint32_t sign_features =
+                                       GENSEC_FEATURE_SESSION_KEY |
+                                       GENSEC_FEATURE_SIGN |
+                                       GENSEC_FEATURE_SEAL;
+
+                       server_timestamp = &timestamp-

Post by Simo
Value.AvTimestamp;

+
+                       if (ntlmssp_state->force_old_spnego) {
+                               sign_features = 0;
+                       }
+
+                       if (gensec_security->want_features &
sign_features) {
+                               struct AV_PAIR *av_flags = NULL;
+
+                               av_flags =
ndr_ntlmssp_find_av(&ntlmssp_state->client.av_pair_list,
+                                                              MsvAvF
lags);
+                               if (av_flags == NULL) {
+                                       av_flags = eol;
+                                       eol++;
+                                       count++;
+                                       *eol = *av_flags;
+                                       av_flags->AvId = MsvAvFlags;
+                                       av_flags->Value.AvFlags = 0;
+                               }
+
+                               av_flags->Value.AvFlags |=
NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE;
+                               ntlmssp_state->new_spnego = true;
+                       }
+               }
note the 'ntlmssp_state->new_spnego = true' when timestamp != NULL.
And it looks like the Windows client doesn't check the
mechlistMIC in this case, so we might need to losen our
check also.
This would also fix the smbclient connecting to the Microsoft
Azure server problem - that server also only does NTLM and
doesn't send the mechlistMIC in the ACCEPT_COMPLETED reply.
Attached is a possible patch, but I'm *really* unsure
if this is safe w.r.t. downgrade attacks.
Metze, can you take a look at this and let me know what you
think ?

I've been thinking about when a downgrade attack is possible and the
only scenario that comes to mind is when the server just ignores the
client MIC. And in that case the server will never detect nor generate
a mechlistMIC anyway.
If the server checks the client sent mechlistMIC, then the server will
detect a downgrade attack and just drop the session establishment.

Simo.

Jeremy Allison

2016-08-31 02:31:22 UTC

Post by Simo

Post by Jeremy Allison
note the 'ntlmssp_state->new_spnego = true' when timestamp != NULL.
And it looks like the Windows client doesn't check the
mechlistMIC in this case, so we might need to losen our
check also.
This would also fix the smbclient connecting to the Microsoft
Azure server problem - that server also only does NTLM and
doesn't send the mechlistMIC in the ACCEPT_COMPLETED reply.
Attached is a possible patch, but I'm *really* unsure
if this is safe w.r.t. downgrade attacks.
Metze, can you take a look at this and let me know what you
think ?

Yep, I've also been thinking more about this and I think
the patch is safe. Once the client has the "accept-complete"
reply, then a missing server-sent mechlistMIC can't
affect anything. Check it is it's there, but it's not
providing any extra security I think.

Andreas Schneider

2016-08-31 07:07:18 UTC

Post by Simo
This is in 4178 5.b, this is not the case you are looking for, as in
the NTLM case you exchange an odd number of tokens (Negotiate,
Challenge, Auth), while in the kerberos case you exchange an even
number of tokens (initiate token and accept token)
So you need to look at 4178 5.c
if the
negState was request-mic in the first reply from the target, a
mechlistMIC token MUST be included; otherwise, the mechlistMIC
token is OPTIONAL.
(in this pcacp the state was accept-incomplete)
In the case that the optimistic mechanism token is the only
mechanism token for the initiator's preferred mechanism, the
mechlistMIC token is OPTIONAL.
(in this pcap NTLM was attempted optimistically and the initiator did
not provide any other mechanism.
All this would still require the mechlistMIC to be produced from the
server because the client did in fact send a mechlistMIC token except
SPNEGO implementations in Microsoft Windows 2000/Windows XP/Windows
Server 2003 have the following behavior: no mechlistMIC is produced
and mechlistMIC is not processed if one is provided; if the initiator
sends the last mechanism token, the acceptor will send back a
negotiation token with an accept_complete state and no mechlistMIC
token.
I think this is the behavior we are seeing.

If the CHALLENGE_MESSAGE TargetInfo field (section 2.2.1.2) has an
So I'm guessing that in the latest version of the Apple
server they added support for the MsvAvTimestamp in their
NTLM implementation, but didn't add support for MIC processing
in SPNEGO.
So they act like a modern post-Windows 2003 server in terms
of the MsvAvTimestamp, which causes us to turn on our
MIC code, but then don't reply containing a mechlistMIC,
like a a pre-Windows 2008 server.
We work against a Windows 2003 server as it never sends
the MsvAvTimestamp I'd guess, so in that case we don't
send or expect any mechlistMIC.
In fact commit 0d641ee36ae2c shows exactly how this
+ if (timestamp != NULL) {
+ uint32_t sign_features =
+ GENSEC_FEATURE_SESSION_KEY |
+ GENSEC_FEATURE_SIGN |
+ GENSEC_FEATURE_SEAL;
+
+ server_timestamp = &timestamp->Value.AvTimestamp;
+
+ if (ntlmssp_state->force_old_spnego) {
+ sign_features = 0;
+ }
+
+ if (gensec_security->want_features & sign_features)
{ + struct AV_PAIR *av_flags = NULL;
+
+ av_flags =
ndr_ntlmssp_find_av(&ntlmssp_state->client.av_pair_list, +
MsvAvFlags); +
if (av_flags == NULL) {
+ av_flags = eol;
+ eol++;
+ count++;
+ *eol = *av_flags;
+ av_flags->AvId = MsvAvFlags;
+ av_flags->Value.AvFlags = 0;
+ }
+
+ av_flags->Value.AvFlags |=
NTLMSSP_AVFLAG_MIC_IN_AUTHENTICATE_MESSAGE; +
ntlmssp_state->new_spnego = true;
+ }
+ }
note the 'ntlmssp_state->new_spnego = true' when timestamp != NULL.
And it looks like the Windows client doesn't check the
mechlistMIC in this case, so we might need to losen our
check also.
This would also fix the smbclient connecting to the Microsoft
Azure server problem - that server also only does NTLM and
doesn't send the mechlistMIC in the ACCEPT_COMPLETED reply.
Attached is a possible patch, but I'm *really* unsure
if this is safe w.r.t. downgrade attacks.
Metze, can you take a look at this and let me know what you
think ?
Jeremy.

If we go with that patch then we need a BUG and the bug url should be added to
the commit message.

So please open a bug and change the commit message.

Thanks,

-- andreas

--
Andreas Schneider GPG-ID: CC014E3D
Samba Team ***@samba.org
www.samba.org

Jeremy Allison

2016-08-31 15:57:37 UTC

Post by Andreas Schneider
If we go with that patch then we need a BUG and the bug url should be added to
the commit message.
So please open a bug and change the commit message.

Will do, if this patch gets that far :-). Right now I
don't have confirmation it even works yet (I think it
will though :-).

Christian Ambach

2016-08-31 20:53:36 UTC

Post by Andreas Schneider
If we go with that patch then we need a BUG and the bug url should be added to
the commit message.
So please open a bug and change the commit message.

Will do, if this patch gets that far :-). Right now I
don't have confirmation it even works yet (I think it
will though :-).

It does, just tested it.

Christian

Stefan Metzmacher

2016-09-01 12:55:08 UTC

Post by Andreas Schneider
If we go with that patch then we need a BUG and the bug url should be added to
the commit message.
So please open a bug and change the commit message.

Will do, if this patch gets that far :-). Right now I
don't have confirmation it even works yet (I think it
will though :-).

It does, just tested it.

Are you sure?

It doesn't work for me.

I'll post a working patch soon.

metze

Stefan Metzmacher

2016-08-31 08:20:35 UTC

Hi Jeremy,

The problem I see with this is that client doesn't know
if the server processed the mechListMIC.

Which has implications on:

if (NT_STATUS_IS_OK(status)) {
bool reset_full = true;

gensec_security->child_security =
spnego_state->sub_sec_security;

reset_full = !spnego_state->done_mic_check;

status =
gensec_may_reset_crypto(spnego_state->sub_sec_security,
reset_full);
}

@Simo: We discussed that the reset_full parameter might not be required,
but I think
these "broken/lazy" servers would be the reason to have it there.

As this problem hopefully only present at the SMB* protocols, which have
their own
signing/encrytion implementations, I'd propose to add a
GENSEC_FEATURE_SMB_STYLE
and allow Jeremy's change only if GENSEC_FEATURE_SMB_STYLE is present.
(We already have GENSEC_FEATURE_DCE_STYLE and GENSEC_FEATURE_LDAP_STYLE
so adding GENSEC_FEATURE_SMB_STYLE would be a similar way to work around
SMB specific
implementation bugs).

What do you think?

metze

Simo

2016-08-31 16:13:23 UTC

Post by Stefan Metzmacher
Hi Jeremy,

The problem I see with this is that client doesn't know
if the server processed the mechListMIC.
        if (NT_STATUS_IS_OK(status)) {
                bool reset_full = true;
                gensec_security->child_security =
spnego_state->sub_sec_security;
                reset_full = !spnego_state->done_mic_check;
                status =
gensec_may_reset_crypto(spnego_state->sub_sec_security,
                                                 reset_full);
        }
@Simo: We discussed that the reset_full parameter might not be
required,
but I think
these "broken/lazy" servers would be the reason to have it there.
As this problem hopefully only present at the SMB* protocols, which have
their own
signing/encrytion implementations, I'd propose to add a
GENSEC_FEATURE_SMB_STYLE
and allow Jeremy's change only if GENSEC_FEATURE_SMB_STYLE is
present.
(We already have GENSEC_FEATURE_DCE_STYLE and
GENSEC_FEATURE_LDAP_STYLE
so adding GENSEC_FEATURE_SMB_STYLE would be a similar way to work around
SMB specific
implementation bugs).
What do you think?

I think we may want a knob to allow this behavior, it's not ideal but
backward compat is also important. I also agree we may want to relax it
selectively per transport.

I would call it just "SPNEGO_REQUIRE_SERVER_MIC" (instead of SMB_STYLE)
and allow the SMB code paths to set it to No, the default should be to
require it. The name should reflect what the knob actually wants and
not where we actually use it this time, it'd be awkward and confusing
to set "SMB_STYLE" if we figure we need to use it on another protocol.

Simo.

Christian Ambach

2016-08-31 20:56:02 UTC

Post by Simo
I would call it just "SPNEGO_REQUIRE_SERVER_MIC" (instead of SMB_STYLE)
and allow the SMB code paths to set it to No, the default should be to
require it. The name should reflect what the knob actually wants and
not where we actually use it this time, it'd be awkward and confusing
to set "SMB_STYLE" if we figure we need to use it on another protocol.

I think that most of the ordinary users of libsmbclient would prefer
that the checks are relaxed in the default configuration. For security
sensitive connections from Samba processes, we can set a flag that
enforces the check.

Christian

Jeremy Allison

2016-08-31 21:18:31 UTC

OK - here is a patchset for bug:

https://bugzilla.samba.org/show_bug.cgi?id=11994

"smbclient fails to connect to Azure share spnego fails with no mechListMIC"

which already existed. Christian can you test this version please ?

I've everyone is happy I'll push.

Cheers,

Jeremy.

Stefan Metzmacher

2016-09-01 06:25:20 UTC

https://bugzilla.samba.org/show_bug.cgi?id=11994
"smbclient fails to connect to Azure share spnego fails with no mechListMIC"
which already existed. Christian can you test this version please ?
I've everyone is happy I'll push.

I just realized that me most likely don't need the extra
GENSEC_FEATURE_SPENGO_IGNORE_SERVER_MIC.

The thing is that gensec_have_feature(GENSEC_FEATURE_SIGN) returns
true, while we just ask for GENSEC_FEATURE_SESSION_KEY.

Ambi, can you some tests with each of the attached patches?
And with both of them applied? So I'd like to see captures of all 3
combinations together with their smbclient -d10 output.

Thanks!
metze

Stefan Metzmacher

2016-09-01 13:02:06 UTC

Post by Stefan Metzmacher

I just realized that me most likely don't need the extra
GENSEC_FEATURE_SPENGO_IGNORE_SERVER_MIC.
The thing is that gensec_have_feature(GENSEC_FEATURE_SIGN) returns
true, while we just ask for GENSEC_FEATURE_SESSION_KEY.
Ambi, can you some tests with each of the attached patches?
And with both of them applied? So I'd like to see captures of all 3
combinations together with their smbclient -d10 output.

These don't work as Jeremy's original patch also doesn't (at for me).

The HACK patch with the unknown OID is rejected with LOGON_FAILURE
by the Apple server, while the downgrade to the known NTLMSSP oid
works as expected against Windows.

The attached patch (tmp.diff.txt) fixes the problem for me against
an Apple server, can anyone test against Azure?

The new "HACK: source3/libsmb/cliconnect.c require GENSEC_FEATURE_SIGN"
patch
shows that still trigger the ACCESS_DENIED if GENSEC_FEATURE_SIGN is
requested.

metze

Jeremy Allison

2016-09-01 18:57:58 UTC

Post by Stefan Metzmacher
These don't work as Jeremy's original patch also doesn't (at for me).

Not surprised, my patch was deduced by "PURE LOGIC (tm)" without
access to an El Capitan server :-). I'm trying to get access to
one to figure out the exact details.

Post by Stefan Metzmacher
The HACK patch with the unknown OID is rejected with LOGON_FAILURE
by the Apple server, while the downgrade to the known NTLMSSP oid
works as expected against Windows.
The attached patch (tmp.diff.txt) fixes the problem for me against
an Apple server, can anyone test against Azure?

Did you test this patch running against the Apple server with
smbclient requiring SMB signing ? With this patch that will fail
right ?

(we'll still expect the mechListMic and the server doesn't
ever send it).

Post by Stefan Metzmacher
The new "HACK: source3/libsmb/cliconnect.c require GENSEC_FEATURE_SIGN"
patch
shows that still trigger the ACCESS_DENIED if GENSEC_FEATURE_SIGN is
requested.

Does the Windows client fail against the Apple server is signing
is required ? Or do they enforce a mechListMic check in this case ?

Andrew Bartlett

2016-09-01 19:18:23 UTC

Post by Stefan Metzmacher
These don't work as Jeremy's original patch also doesn't (at for me).

Not surprised, my patch was deduced by "PURE LOGIC (tm)" without
access to an El Capitan server :-). I'm trying to get access to
one to figure out the exact details.

I have one on my desk at work, if that helps.

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

Jeremy Allison

2016-09-01 20:46:21 UTC

Post by Andrew Bartlett

Post by Stefan Metzmacher
These don't work as Jeremy's original patch also doesn't (at for me).

Not surprised, my patch was deduced by "PURE LOGIC (tm)" without
access to an El Capitan server :-). I'm trying to get access to
one to figure out the exact details.

I have one on my desk at work, if that helps.

Can you check connecting to it with Metze's patch
applied to master (the tmp.diff.txt one) using
smbclient -MSMB3 and make sure we still work
also using -s (signing) (you could also check
with -e encrypt but I'm not sure if the Apple
server supports that).

Thanks !

Jeremy.

Christian Ambach

2016-09-02 12:28:30 UTC

Post by Jeremy Allison
Can you check connecting to it with Metze's patch
applied to master (the tmp.diff.txt one) using
smbclient -MSMB3 and make sure we still work
also using -s (signing) (you could also check
with -e encrypt but I'm not sure if the Apple
server supports that).
Thanks !

I have tested Metze's patch and it works with -mSMB3 and -Srequired as well.
Apple's server does not support encryption.

I have pushed the patch to autobuild with my R-b.

Christian

Stefan Metzmacher

2016-09-01 19:34:05 UTC

Post by Stefan Metzmacher
These don't work as Jeremy's original patch also doesn't (at for me).

Not surprised, my patch was deduced by "PURE LOGIC (tm)" without
access to an El Capitan server :-). I'm trying to get access to
one to figure out the exact details.

Did you test this patch running against the Apple server with
smbclient requiring SMB signing ? With this patch that will fail
right ?
(we'll still expect the mechListMic and the server doesn't
ever send it).

Post by Stefan Metzmacher
The new "HACK: source3/libsmb/cliconnect.c require GENSEC_FEATURE_SIGN"
patch
shows that still trigger the ACCESS_DENIED if GENSEC_FEATURE_SIGN is
requested.

Does the Windows client fail against the Apple server is signing
is required ? Or do they enforce a mechListMic check in this case ?

SMB signing uses just GENSEC_FEATURE_SESSION_KEY and not
GENSEC_FEATURE_SIGN,
so I don't think there're any difference with SMB signing,
but I'll test that tomorrow against Ralph's apple server.

So with tmp.diff.txt (alone) it all worked against it with SMB1 and SMB3,
without required signing.

metze

Jeremy Allison

2016-09-01 20:43:57 UTC

Post by Stefan Metzmacher