r25227: Patch from "Steven Danneman" <steven.danneman@isilon.com>:

-
We ran across a bug joining our Samba server to a Win2K domain with LDAP
signing turned on.  Upon investigation I discovered that there is a bug
in Win2K server which returns a duplicated responseToken in the LDAP
bindResponse packet.  This blob is placed in the optional mechListMIC
field which is unsupported in both Win2K and Win2K3.  You can see RFC
2478 for the proper packet construction.  I've worked with metze on this
to confirm all these finding.

This patch properly parses then discards the mechListMIC field if it
exists in the packet, so we don't produce a malformed packet error,
causing LDAP signed joins to fail.  Also attached is a sniff of the
domain join, exposing Win2Ks bad behavior (packet 21).
-

(I've just changed the scope of the DATA_BLOB mechList)

metze
(This used to be commit 200b5bfb8180af09446762e915eac63d14c6c7b0)

1 files changed, 14 insertions, 0 deletions

diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index f93cbcf39b..9432ce81d3 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -557,6 +557,20 @@ BOOL spnego_parse_auth_response(DATA_BLOB blob, NTSTATUS nt_status,
 		data.has_error = 1;
 	}
 
+	/* Binding against Win2K DC returns a duplicate of the responseToken in
+	 * the optional mechListMIC field. This is a bug in Win2K. We ignore
+	 * this field if it exists. Win2K8 may return a proper mechListMIC at
+	 * which point we need to implement the integrity checking. */
+	if (asn1_tag_remaining(&data)) {
+		DATA_BLOB mechList = data_blob_null;
+		asn1_start_tag(&data, ASN1_CONTEXT(3));
+		asn1_read_OctetString(&data, &mechList);
+		asn1_end_tag(&data);
+		data_blob_free(&mechList);
+		DEBUG(5,("spnego_parse_auth_response received mechListMIC, "
+		    "ignoring.\n"));
+	}
+
 	asn1_end_tag(&data);
 	asn1_end_tag(&data);