Discussion:
[Patches] Fix GENSEC_FEATURE_LDAP_STYLE handling as server (NTLMSSP NTLM2 packet check failed due to invalid signature!) (bug #13427)
Andrew Bartlett via samba-technical
2018-05-14 10:02:14 UTC
Permalink
On Wed, 2018-05-09 at 15:13 +0200, Ralph Böhme via samba-technical
here're patches to demonstrate and fix a regression of our server side
GENSEC_FEATURE_LDAP_STYLE handling.
would you mind explaining the logic behind GENSEC_FEATURE_LDAP_STYLE any why
NTLMSSP_NEGOTIATE_SIGN implies NTLMSSP_NEGOTIATE_SEAL over LDAP ? Thanks!
From 109f0487abdafc16a31a221f1ff57dccb0b2a775 Mon Sep 17 00:00:00 2001
Date: Mon, 7 May 2018 14:50:27 +0200
Subject: [PATCH 3/3] auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE
as a server
This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!"
error messages, which were generated if the client only sends
NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP
connection.
This fixes a regession in the combination of commits
77adac8c3cd2f7419894d18db735782c9646a202 and
3a0b835408a6efa339e8b34333906bfe3aacd6e3.
We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end
of the authentication (as a server), while we need to (any already
do so at the beginning as a client).
Oh, and btw, this commit message is in need of some love. :)
G'Day,

I'm sorry, but I'm with Ralph on this one. I tried to make sense of
what is going on here, but I can't. Can you explain this a with a bit
more background?

Thanks,

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Stefan Metzmacher via samba-technical
2018-05-14 10:21:20 UTC
Permalink
Hi,

here's an updated patchset.

metze
On Wed, 2018-05-09 at 15:13 +0200, Ralph Böhme via samba-technical
here're patches to demonstrate and fix a regression of our server side
GENSEC_FEATURE_LDAP_STYLE handling.
would you mind explaining the logic behind GENSEC_FEATURE_LDAP_STYLE any why
NTLMSSP_NEGOTIATE_SIGN implies NTLMSSP_NEGOTIATE_SEAL over LDAP ? Thanks!
From 109f0487abdafc16a31a221f1ff57dccb0b2a775 Mon Sep 17 00:00:00 2001
Date: Mon, 7 May 2018 14:50:27 +0200
Subject: [PATCH 3/3] auth/ntlmssp: fix handling of GENSEC_FEATURE_LDAP_STYLE
as a server
This fixes "NTLMSSP NTLM2 packet check failed due to invalid signature!"
error messages, which were generated if the client only sends
NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL on an LDAP
connection.
This fixes a regession in the combination of commits
77adac8c3cd2f7419894d18db735782c9646a202 and
3a0b835408a6efa339e8b34333906bfe3aacd6e3.
We need to evaluate GENSEC_FEATURE_LDAP_STYLE at the end
of the authentication (as a server), while we need to (any already
do so at the beginning as a client).
Oh, and btw, this commit message is in need of some love. :)
G'Day,
I'm sorry, but I'm with Ralph on this one. I tried to make sense of
what is going on here, but I can't. Can you explain this a with a bit
more background?
Thanks,
Andrew Bartlett
Andrew Bartlett via samba-technical
2018-05-15 06:03:56 UTC
Permalink
Post by Stefan Metzmacher via samba-technical
Hi,
here's an updated patchset.
metze
Thanks.

Reviewed-by: Andrew Bartlett <***@samba.org>

Please push (I'll also try to do so later).

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Ralph Böhme via samba-technical
2018-05-15 12:52:18 UTC
Permalink
Post by Stefan Metzmacher via samba-technical
here's an updated patchset.
thanks!

-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
GPG Key Fingerprint: FAE2 C608 8A24 2520 51C5
59E4 AA1E 9B71 2639 9E46
Loading...