auth/ntlmssp: enforce NTLMSSP_NEGOTIATE_NTLM2 for the NTLMv2 client case

Some servers may not announce the NTLMSSP_NEGOTIATE_NTLM2
(a.k.a. NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY) bit.

But if we're acting as a client using NTLMv2 we need to
enforce this flag, because it's not really a negotiationable
in that case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12862

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/auth/ntlmssp/ntlmssp_util.c b/auth/ntlmssp/ntlmssp_util.c
index 4ae6101f025635acbd14f85805a1a04edca530d9..9c7325a23e0c6adce6a61ff9d8b4c0567644f2ba 100644 (file)
--- a/auth/ntlmssp/ntlmssp_util.c
+++ b/auth/ntlmssp/ntlmssp_util.c
@@ -75,6 +75,27 @@ NTSTATUS ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
 {
        uint32_t missing_flags = ntlmssp_state->required_flags;
 
+       if (ntlmssp_state->use_ntlmv2) {
+               /*
+                * Using NTLMv2 as a client implies
+                * using NTLMSSP_NEGOTIATE_NTLM2
+                * (NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY)
+                *
+                * Note that 'use_ntlmv2' is only set
+                * true in the client case.
+                *
+                * Even if the server has a bug and does not announce
+                * it, we need to assume it's present.
+                *
+                * Note that we also have the flag
+                * in ntlmssp_state->required_flags,
+                * see gensec_ntlmssp_client_start().
+                *
+                * See bug #12862.
+                */
+               flags |= NTLMSSP_NEGOTIATE_NTLM2;
+       }
+
        if (flags & NTLMSSP_NEGOTIATE_UNICODE) {
                ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_UNICODE;
                ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_OEM;