r1762: Ensure that a user (as opposed to guest) cannot login without SPNEGO,

when we have negotiated SPNEGO.

Andrew Bartlett
(This used to be commit 07e3d2c4cd77d06c9ffaefd481ba58e4debe028c)

1 files changed, 6 insertions, 4 deletions

diff --git a/source4/smb_server/sesssetup.c b/source4/smb_server/sesssetup.c
index 14cb1be067..e1245748a0 100644
--- a/source4/smb_server/sesssetup.c
+++ b/source4/smb_server/sesssetup.c
@@ -106,16 +106,18 @@ static NTSTATUS sesssetup_nt1(struct smbsrv_request *req, union smb_sesssetup *s
 	if (req->smb_conn->negotiate.spnego_negotiated) {
 		struct auth_context *auth_context;
 
+		if (sess->nt1.in.user && *sess->nt1.in.user) {
+			return NT_STATUS_ACCESS_DENIED;
+		} else {
+			make_user_info_guest(&user_info);
+		}
+		
 		status = make_auth_context_subsystem(&auth_context);
 
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
 		}
 		
-		if (!sess->nt1.in.user || !*sess->nt1.in.user) {
-			make_user_info_guest(&user_info);
-		}
-		
 		status = auth_context->check_ntlm_password(auth_context, 
 							   user_info, 
 							   &server_info);