cifs.upcall: use krb5_auth_con_set_req_cksumtype() and pass a GSSAPI checksum (bug...

Some closed source SMB servers doesn't support all checksum types,
so we should try to match windows clients.

This is almost the same logic which is used by Samba.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/cifs.upcall.c b/cifs.upcall.c
index d895ccdfb14abebc5c73fee8c99766800ae31efe..648a1380a0440e6cf71af22aa98e585ac7046c41 100644 (file)
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -261,6 +261,9 @@ cifs_krb5_get_req(const char *principal, const char *ccname,
        krb5_creds in_creds, *out_creds;
        krb5_data apreq_pkt, in_data;
        krb5_auth_context auth_context = NULL;
+#if defined(HAVE_KRB5_AUTH_CON_SETADDRS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
+       static const uint8_t gss_cksum[24] = { 0x10, 0x00, /* ... */};
+#endif
 
        ret = krb5_init_context(&context);
        if (ret) {
@@ -309,6 +312,43 @@ cifs_krb5_get_req(const char *principal, const char *ccname,
                goto out_free_creds;
        }
 
+#if defined(HAVE_KRB5_AUTH_CON_SETADDRS) && defined(HAVE_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE)
+       /* Ensure we will get an addressless ticket. */
+       ret = krb5_auth_con_setaddrs(context, auth_context, NULL, NULL);
+       if (ret) {
+               syslog(LOG_DEBUG, "%s: unable to set NULL addrs: %d",
+                      __func__, ret);
+               goto out_free_auth;
+       }
+
+       /*
+        * Create a GSSAPI checksum (0x8003), see RFC 4121.
+        *
+        * The current layout is
+        *
+        * 0x10, 0x00, 0x00, 0x00 - length = 16
+        * 0x00, 0x00, 0x00, 0x00 - channel binding info - 16 zero bytes
+        * 0x00, 0x00, 0x00, 0x00
+        * 0x00, 0x00, 0x00, 0x00
+        * 0x00, 0x00, 0x00, 0x00
+        * 0x00, 0x00, 0x00, 0x00 - flags
+        *
+        * GSS_C_NO_CHANNEL_BINDINGS means 16 zero bytes,
+        * this is needed to work against some closed source
+        * SMB servers.
+        *
+        * See https://bugzilla.samba.org/show_bug.cgi?id=7890
+        */
+       in_data.data = discard_const_p(char, gss_cksum);
+       in_data.length = 24;
+       ret = krb5_auth_con_set_req_cksumtype(context, auth_context, 0x8003);
+       if (ret) {
+               syslog(LOG_DEBUG, "%s: unable to set 0x8003 checksum",
+                      __func__);
+               goto out_free_auth;
+       }
+#endif
+
        apreq_pkt.length = 0;
        apreq_pkt.data = NULL;
        ret = krb5_mk_req_extended(context, &auth_context, AP_OPTS_USE_SUBKEY,

diff --git a/configure.ac b/configure.ac
index 093b48d5bb52e88811ce7e8483d65a8d26ac3bf3..53b698db8b6dbf3c2ad2a9f8b5c087fa66ba0b59 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -133,6 +133,7 @@ fi
 # non-critical functions (we have workarounds for these)
 if test $enable_cifsupcall != "no"; then
        AC_CHECK_FUNCS([krb5_principal_get_realm krb5_free_unparsed_name])
+       AC_CHECK_FUNCS([krb5_auth_con_setaddrs krb5_auth_con_set_req_cksumtype])
 fi
 
 LIBS=$cu_saved_libs