[SPU] samba upload fixing auth problems with W2K8R2 domains controllers

To: debian-release@lists.debian.org
Subject: [SPU] samba upload fixing auth problems with W2K8R2 domains controllers
From: Christian PERRIER <bubulle@debian.org>
Date: Thu, 8 Apr 2010 07:29:40 +0200
Message-id: <20100408052940.GI9900@mykerinos.kheops.frmug.org>

Release 2 of Windows 2008 server broke interdomain trust between
Windows 2008 domains and samba domain controllers.. This is samba bug
#6697 (https://bugzilla.samba.org/show_bug.cgi?id=6697).

This was reported in Debian as #575951 with severity important as this
is likely to affect all organizations switching some parts of their
infrastructure from W2K3 to W2K8.

The problem was fixed in 3.4 series of samba, specifically 3.4.1 and
the Samba Team even backported it to their 3.3 branch, which is under
"maintenance" mode (something similar to our stabe release).

The fix easily applies to samba 3.2.5 (which we have in lenny) and has
been confirmed working by the bug submitter.

The patch is listed below.

I uploaded samba 2:3.2.5-4lenny10 to s-p-u (assuming, I didn't mess
up) with that fix included and would appreciate if this is included in
the next point release.




Goal: Interdomain trusts with Windows 2008 R2 DCs.

Fixes: #575951

Status wrt upstream: Fixed in 3.3 and 3.4.1

Author: Günther Deschner <gd@samba.org>

Details:
 The Schannel verifier (aka NL_AUTH_SIGNATURE) structure (32 byte) sent from a
 W2k8r2 DC is passed in a buffer with the size of a NL_AUTH_SHA2_SIGNATURE (56
 byte). We should just ignore the remaining 12 zeroed bytes and proceed.

Index: lenny/source/include/rpc_dce.h
===================================================================
--- lenny.orig/source/include/rpc_dce.h
+++ lenny/source/include/rpc_dce.h
@@ -150,7 +150,7 @@
 };

 /* Maximum size of the signing data in a fragment. */
-#define RPC_MAX_SIGN_SIZE 0x20 /* 32 */
+#define RPC_MAX_SIGN_SIZE 0x38 /* 56 */

 /* Maximum PDU fragment size. */
 /* #define MAX_PDU_FRAG_LEN 0x1630             this is what wnt sets */
Index: lenny/source/rpc_client/cli_pipe.c
===================================================================
--- lenny.orig/source/rpc_client/cli_pipe.c
+++ lenny/source/rpc_client/cli_pipe.c
@@ -349,7 +349,7 @@
                return NT_STATUS_OK;
        }

-       if (auth_len != RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
+       if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
                DEBUG(0,("cli_pipe_verify_schannel: auth_len %u.\n", (unsigned int)auth_len ));
                return NT_STATUS_INVALID_PARAMETER;
        }


--

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- [SPU] samba upload fixing memory leaks (2:3.2.5-4lenny11)
  - From: Christian PERRIER <bubulle@debian.org>

Prev by Date: The 'git' Debian package in squeeze and possible mass bug filing
Next by Date: Re: Bug#566335: Re: Bits from the Release Team: Scheduling, transitions, how to help
Previous by thread: Re: The 'git' Debian package in squeeze and possible mass bug filing
Next by thread: [SPU] samba upload fixing memory leaks (2:3.2.5-4lenny11)
Index(es):
- Date
- Thread