Closed Bug 1270046 Opened 9 years ago Closed 9 years ago

NTLM single-sign-on fails with Samba 4.3.8

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Version:
46 Branch
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla49
Tracking Flags:
Tracking Status
firefox49 --- fixed

People

(Reporter: dwmw2, Unassigned)

Details

(Whiteboard: [necko-backlog])

Attachments

(2 files)

Accept 'AF' as well as 'KK' for ntlm_auth final response.
654 bytes, patch
mayhemer
: review+
abartlet
: review+
Details | Diff | Splinter Review
patch for check-in
1.09 KB, patch
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0 Build ID: 20160428130053 Steps to reproduce: Update to 4.3.8 Actual results: NTLM single-sign-on with /usr/bin/ntlm_auth stopped working, as the new Samba gives the final response prefixed with 'AF' rather than 'KK'. Which was always possible, and applications were supposed to accept it. Expected results: --- firefox-46.0.1/extensions/auth/nsAuthSambaNTLM.cpp.rhbz-1173156 2016-05-03 06:31:11.000000000 +0100 +++ firefox-46.0.1/extensions/auth/nsAuthSambaNTLM.cpp 2016-05-04 10:18:53.157429123 +0100 @@ -256,7 +256,8 @@ nsAuthSambaNTLM::GetNextToken(const void nsCString line; if (!ReadLine(mFromChildFD, line)) return NS_ERROR_FAILURE; - if (!StringBeginsWith(line, NS_LITERAL_CSTRING("KK "))) { + if (!StringBeginsWith(line, NS_LITERAL_CSTRING("KK ")) && + !StringBeginsWith(line, NS_LITERAL_CSTRING("AF "))) { // Something went wrong. Perhaps no credentials are accessible. return NS_ERROR_FAILURE; }
The patch snippet above ought to make it work again; I'm building right now and will attach it properly for review assuming it does — for now, just consider it a concise way of describing the problem. However, there's a deeper problem here. When this NS_ERROR_FAILURE happens (rightly or otherwise), we seem to just stop. The user *should* be asked for credentials to try authenticating manually, surely? But that doesn't happen. I end up with just a blank page.
OS: Unspecified → Linux
Hardware: Unspecified → All
Component: Untriaged → Networking
Product: Firefox → Core
Whiteboard: [necko-backlog]
If you care about the background, and why the badly-documented ntlm_auth protocol changed from sending 'KK' to 'AF', see https://bugzilla.samba.org/show_bug.cgi?id=10223 Basically, you're *supposed* to get an 'AF' response when authentication should be completed. And that's what allows clients which care to also extract the session key for the negotiated NTLM authentication session, etc. — sending 'KK', which indicates that we aren't done yet, was a bug.
Attachment #8748562 - Flags: review?(stransky)
Comment on attachment 8748562 [details] [diff] [review] Accept 'AF' as well as 'KK' for ntlm_auth final response. AFAIK Honza may be a better reviewer than me.
Attachment #8748562 - Flags: review?(stransky) → review?(honzab.moz)
Comment on attachment 8748562 [details] [diff] [review] Accept 'AF' as well as 'KK' for ntlm_auth final response. Review of attachment 8748562 [details] [diff] [review]: ----------------------------------------------------------------- Please submit the patch in a release quality (8 lines context, function name, make it appliable). Looks good to me, Andrew, please double check this is correct. Thanks.
Attachment #8748562 - Flags: review?(honzab.moz)
Attachment #8748562 - Flags: review?(abartlet)
Attachment #8748562 - Flags: review+
Attachment #8748562 - Flags: review?(abartlet) → review+
https://hg.mozilla.org/mozilla-central/rev/9a3354731641
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
status-firefox49: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: