s3-libads Default to NOT using the server-supplied principal from SPNEGO

This principal is not supplied by later versions of windows, and using
it opens up some oportunities for man in the middle attacks.  (Becuase
it isn't the name being contacted that is verified with the KDC).

This adds the option 'client use spnego principal' to the smb.conf (as
used in Samba4) to control this behaivour.  As in Samba4, this
defaults to false.

Against 2008 servers, this will not change behaviour.  Against earlier
servers, it may cause a downgrade to NTLMSSP more often, in
environments where server names are not registered with the KDC as
servicePrincipalName values.

Andrew Bartlett

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 19c693b25274fc6ebf41607a38f3b2a0bf43ab5b..94196b41d1de5a8a07e6fab460aa7461e3c16c54 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -3306,6 +3306,7 @@ bool lp_use_mmap(void);
 bool lp_unix_extensions(void);
 bool lp_use_spnego(void);
 bool lp_client_use_spnego(void);
+bool lp_client_use_spnego_principal(void);
 bool lp_hostname_lookups(void);
 bool lp_change_notify(const struct share_params *p );
 bool lp_kernel_change_notify(const struct share_params *p );

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 653d546ccdf90666851b3e4f209feae9e07ed0b6..2ba347486a6f6366d6e2cad50c9d7c2068486471 100644 (file)
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -664,10 +664,12 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
           the principal name back in the first round of
           the SASL bind reply.  So we guess based on server
           name and realm.  --jerry  */
-       /* Also try best guess when we get the w2k8 ignore
-          principal back - gd */
+       /* Also try best guess when we get the w2k8 ignore principal
+          back, or when we are configured to ignore it - gd,
+          abartlet */
 
-       if (!given_principal ||
+       if (!lp_client_use_spnego_principal() ||
+           !given_principal ||
            strequal(given_principal, ADS_IGNORE_PRINCIPAL)) {
 
                status = ads_guess_service_principal(ads, &p->string);

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 1e11e158f71cdee6b7ebe62390fe2359783031e3..c66314891d0784c60a868d1fbaa76413664b7a2d 100644 (file)
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1279,10 +1279,9 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
                        }
                }
 
-               /* If we get a bad principal, try to guess it if
-                  we have a valid host NetBIOS name.
+               /* We may not be allowed to use the server-supplied SPNEGO principal, or it may not have been supplied to us
                 */
-               if (strequal(principal, ADS_IGNORE_PRINCIPAL)) {
+               if (!lp_client_use_spnego_principal() || strequal(principal, ADS_IGNORE_PRINCIPAL)) {
                        TALLOC_FREE(principal);
                }
 

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 0bc27dca0337b55be513ce04377ad64b967ee20c..05958b47d202c7d783bfa39a1b3791d8d8e77e7f 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -338,6 +338,7 @@ struct global {
        bool bClientNTLMv2Auth;
        bool bClientPlaintextAuth;
        bool bClientUseSpnego;
+       bool client_use_spnego_principal;
        bool bDebugPrefixTimestamp;
        bool bDebugHiresTimestamp;
        bool bDebugPid;
@@ -1398,6 +1399,15 @@ static struct parm_struct parm_table[] = {
                .enum_list      = NULL,
                .flags          = FLAG_ADVANCED,
        },
+       {
+               .label          = "client use spnego principal",
+               .type           = P_BOOL,
+               .p_class        = P_GLOBAL,
+               .ptr            = &Globals.client_use_spnego_principal,
+               .special        = NULL,
+               .enum_list      = NULL,
+               .flags          = FLAG_ADVANCED,
+       },
        {
                .label          = "username",
                .type           = P_STRING,
@@ -5711,6 +5721,7 @@ FN_GLOBAL_BOOL(lp_use_mmap, &Globals.bUseMmap)
 FN_GLOBAL_BOOL(lp_unix_extensions, &Globals.bUnixExtensions)
 FN_GLOBAL_BOOL(lp_use_spnego, &Globals.bUseSpnego)
 FN_GLOBAL_BOOL(lp_client_use_spnego, &Globals.bClientUseSpnego)
+FN_GLOBAL_BOOL(lp_client_use_spnego_principal, &Globals.client_use_spnego_principal)
 FN_GLOBAL_BOOL(lp_hostname_lookups, &Globals.bHostnameLookups)
 FN_LOCAL_PARM_BOOL(lp_change_notify, bChangeNotify)
 FN_LOCAL_PARM_BOOL(lp_kernel_change_notify, bKernelChangeNotify)