s3-libads Default to NOT using the server-supplied principal from SPNEGO

This principal is not supplied by later versions of windows, and using
it opens up some oportunities for man in the middle attacks.  (Becuase
it isn't the name being contacted that is verified with the KDC).

This adds the option 'client use spnego principal' to the smb.conf (as
used in Samba4) to control this behaivour.  As in Samba4, this
defaults to false.

Against 2008 servers, this will not change behaviour.  Against earlier
servers, it may cause a downgrade to NTLMSSP more often, in
environments where server names are not registered with the KDC as
servicePrincipalName values.

Andrew Bartlett
(cherry picked from commit bb7806283e71f3b8029aae0eed326b5847a36d83)
(cherry picked from commit e962852687f539678b7c38ed21f1b76c328821f2)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 6ff088293c5a9af6ba33370c3ab50191c283d61b..e15a020091f11141391b5c93641084092827d17b 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -4080,6 +4080,7 @@ bool lp_use_mmap(void);
 bool lp_unix_extensions(void);
 bool lp_use_spnego(void);
 bool lp_client_use_spnego(void);
+bool lp_client_use_spnego_principal(void);
 bool lp_hostname_lookups(void);
 bool lp_change_notify(const struct share_params *p );
 bool lp_kernel_change_notify(const struct share_params *p );

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 421faed15921c88ecd2d591c85fdbbfe23eb41a9..749e8a4db037602b60755cc5c1831f9eff9aa1a3 100644 (file)
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -649,10 +649,12 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
           the principal name back in the first round of
           the SASL bind reply.  So we guess based on server
           name and realm.  --jerry  */
-       /* Also try best guess when we get the w2k8 ignore
-          principal back - gd */
+       /* Also try best guess when we get the w2k8 ignore principal
+          back, or when we are configured to ignore it - gd,
+          abartlet */
 
-       if (!given_principal ||
+       if (!lp_client_use_spnego_principal() ||
+           !given_principal ||
            strequal(given_principal, ADS_IGNORE_PRINCIPAL)) {
 
                status = ads_guess_service_principal(ads, &p->string);

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 9d0b1e343c4f503ada26ae38f9b2c7ac1f0954d4..6827b7b81e1a126c56e4982e5b5f348328c4b869 100644 (file)
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1056,10 +1056,9 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
                        }
                }
 
-               /* If we get a bad principal, try to guess it if
-                  we have a valid host NetBIOS name.
+               /* We may not be allowed to use the server-supplied SPNEGO principal, or it may not have been supplied to us
                 */
-               if (strequal(principal, ADS_IGNORE_PRINCIPAL)) {
+               if (!lp_client_use_spnego_principal() || strequal(principal, ADS_IGNORE_PRINCIPAL)) {
                        TALLOC_FREE(principal);
                }
 

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 76e2303cd44e6734913f47a3d31c723d970d2fba..1ad067b32c42a3544acbea36cab521fbc501938a 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -325,6 +325,7 @@ struct global {
        bool bClientNTLMv2Auth;
        bool bClientPlaintextAuth;
        bool bClientUseSpnego;
+       bool client_use_spnego_principal;
        bool bDebugPrefixTimestamp;
        bool bDebugHiresTimestamp;
        bool bDebugPid;
@@ -1394,6 +1395,15 @@ static struct parm_struct parm_table[] = {
                .enum_list      = NULL,
                .flags          = FLAG_ADVANCED,
        },
+       {
+               .label          = "client use spnego principal",
+               .type           = P_BOOL,
+               .p_class        = P_GLOBAL,
+               .ptr            = &Globals.client_use_spnego_principal,
+               .special        = NULL,
+               .enum_list      = NULL,
+               .flags          = FLAG_ADVANCED,
+       },
        {
                .label          = "username",
                .type           = P_STRING,
@@ -5537,6 +5547,7 @@ FN_GLOBAL_BOOL(lp_use_mmap, &Globals.bUseMmap)
 FN_GLOBAL_BOOL(lp_unix_extensions, &Globals.bUnixExtensions)
 FN_GLOBAL_BOOL(lp_use_spnego, &Globals.bUseSpnego)
 FN_GLOBAL_BOOL(lp_client_use_spnego, &Globals.bClientUseSpnego)
+FN_GLOBAL_BOOL(lp_client_use_spnego_principal, &Globals.client_use_spnego_principal)
 FN_GLOBAL_BOOL(lp_hostname_lookups, &Globals.bHostnameLookups)
 FN_LOCAL_PARM_BOOL(lp_change_notify, bChangeNotify)
 FN_LOCAL_PARM_BOOL(lp_kernel_change_notify, bKernelChangeNotify)