summaryrefslogtreecommitdiff
path: root/source3/rpc_server
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2006-04-18 18:00:57 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:16:25 -0500
commit0498f3b8890ec62eeb9275a6bf685a6c3d81fce5 (patch)
tree14e1ce1044945fadea94368365521636adae32f2 /source3/rpc_server
parent4549efe6967cf8abeac3e275b37754e59d87af5c (diff)
downloadsamba-0498f3b8890ec62eeb9275a6bf685a6c3d81fce5.tar.gz
samba-0498f3b8890ec62eeb9275a6bf685a6c3d81fce5.tar.bz2
samba-0498f3b8890ec62eeb9275a6bf685a6c3d81fce5.zip
r15129: Separate out mechanism and policy for NTLMSSP auth/sign/seal.
With this change (and setting lanman auth = no in smb.conf) we have *identical* NTLMSSP flags to W2K3 in SPNEGO auth. Jeremy (This used to be commit 93ca3eee55297eb7fdd38fca38103ce129987e2a)
Diffstat (limited to 'source3/rpc_server')
-rw-r--r--source3/rpc_server/srv_pipe.c23
1 files changed, 22 insertions, 1 deletions
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 9b6fcb2f15..72298520e3 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -606,7 +606,7 @@ static BOOL pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
NTSTATUS status;
AUTH_NTLMSSP_STATE *a = p->auth.a_u.auth_ntlmssp_state;
- DEBUG(5,("pipe_ntlmssp_verify_final: checking user details\n"));
+ DEBUG(5,("pipe_ntlmssp_verify_final: pipe %s checking user details\n", p->name));
ZERO_STRUCT(reply);
@@ -629,6 +629,27 @@ static BOOL pipe_ntlmssp_verify_final(pipes_struct *p, DATA_BLOB *p_resp_blob)
return False;
}
+ /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
+ ensure the underlying NTLMSSP flags are also set. If not we should
+ refuse the bind. */
+
+ if (p->auth.auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
+ if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
+ DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet integrity requested "
+ "but client declined signing.\n",
+ p->name ));
+ return False;
+ }
+ }
+ if (p->auth.auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
+ if (!(a->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
+ DEBUG(0,("pipe_ntlmssp_verify_final: pipe %s : packet privacy requested "
+ "but client declined sealing.\n",
+ p->name ));
+ return False;
+ }
+ }
+
fstrcpy(p->user_name, a->ntlmssp_state->user);
fstrcpy(p->pipe_user_name, a->server_info->unix_name);
fstrcpy(p->domain, a->ntlmssp_state->domain);