diff options
author | Andrew Bartlett <abartlet@samba.org> | 2001-10-30 13:54:54 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2001-10-30 13:54:54 +0000 |
commit | 1f829e19eb3b81ad1c4451fe9a90617e6cee7dd7 (patch) | |
tree | 9de623172cc17ca9a5891f53c1e287f0a32fa008 | |
parent | a947591674d6baf747809464b34b03ea165d2b13 (diff) | |
download | samba-1f829e19eb3b81ad1c4451fe9a90617e6cee7dd7.tar.gz samba-1f829e19eb3b81ad1c4451fe9a90617e6cee7dd7.tar.bz2 samba-1f829e19eb3b81ad1c4451fe9a90617e6cee7dd7.zip |
Spnego on the 'server' end of security=server just does not work, so set the
flags so we just do a 'normal' session setup.
Also add some parinoia code to detect when sombody attempts to do a 'normal'
session setup when spnego had been negoitiated.
Andrew Bartlett
(This used to be commit 190898586fa218c952fbd5bea56155d04e6f248b)
-rw-r--r-- | source3/auth/auth_server.c | 3 | ||||
-rw-r--r-- | source3/smbd/auth_server.c | 3 | ||||
-rw-r--r-- | source3/smbd/negprot.c | 5 | ||||
-rw-r--r-- | source3/smbd/sesssetup.c | 8 |
4 files changed, 17 insertions, 2 deletions
diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 2574a52ef3..520417e3e0 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -51,6 +51,9 @@ struct cli_state *server_cryptkey(void) if (!cli_initialise(cli)) return NULL; + /* security = server just can't function with spnego */ + cli->use_spnego = False; + pserver = strdup(lp_passwordserver()); p = pserver; diff --git a/source3/smbd/auth_server.c b/source3/smbd/auth_server.c index 2574a52ef3..520417e3e0 100644 --- a/source3/smbd/auth_server.c +++ b/source3/smbd/auth_server.c @@ -51,6 +51,9 @@ struct cli_state *server_cryptkey(void) if (!cli_initialise(cli)) return NULL; + /* security = server just can't function with spnego */ + cli->use_spnego = False; + pserver = strdup(lp_passwordserver()); p = pserver; diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 16d315f1d8..e4285cb27c 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -25,7 +25,8 @@ extern int Protocol; extern int max_recv; extern fstring global_myworkgroup; extern fstring remote_machine; -BOOL global_encrypted_passwords_negotiated; +BOOL global_encrypted_passwords_negotiated = False; +BOOL global_spnego_negotiated = False; /**************************************************************************** reply for the core protocol @@ -170,6 +171,8 @@ static int negprot_spnego(char *p, uint8 cryptkey[8]) char *principal; int len; + global_spnego_negotiated = True; + memset(guid, 0, 16); safe_strcpy((char *)guid, global_myname, 16); strlower((char *)guid); diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 5412cc3bad..2d9f624b80 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -480,6 +480,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, BOOL guest=False; static BOOL done_sesssetup = False; extern BOOL global_encrypted_passwords_negotiated; + extern BOOL global_spnego_negotiated; extern uint32 global_client_caps; extern int Protocol; extern fstring remote_machine; @@ -492,11 +493,16 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, /* a SPNEGO session setup has 12 command words, whereas a normal NT1 session setup has 13. See the cifs spec. */ - if (CVAL(inbuf, smb_wct) == 12 && + if (CVAL(inbuf, smb_wct) == 12 && (SVAL(inbuf, smb_flg2) & FLAGS2_EXTENDED_SECURITY)) { return reply_sesssetup_and_X_spnego(conn, inbuf, outbuf, length, bufsize); } + if (global_spnego_negotiated) { + DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt at 'normal' session setup after negotiating spnego.\n")); + return ERROR_NT(NT_STATUS_UNSUCCESSFUL); + } + *smb_apasswd = *smb_ntpasswd = 0; smb_bufsize = SVAL(inbuf,smb_vwv2); |