diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2011-07-26 15:11:47 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2011-08-03 18:48:04 +1000 |
| commit | d3524f2eaeef06059fcdc7af5b742cd46064fd20 (patch) | |
| tree | 6dca681b7d39f74d78e2ce51bf67e2c77aaff365 /source3/smbd/negprot.c | |
| parent | 9f663270fd7d40dbaf258fe6818685d42249a827 (diff) | |
| download | samba-d3524f2eaeef06059fcdc7af5b742cd46064fd20.tar.gz samba-d3524f2eaeef06059fcdc7af5b742cd46064fd20.tar.bz2 samba-d3524f2eaeef06059fcdc7af5b742cd46064fd20.zip | |
s3-auth use auth_generic_start to get full GENSEC in Samba3 session setup
This tests if the auth_generic_start() hook is available on the auth
context during the negprot, and if so it uses auth_generic_start() to
hook to GENSEC to handle the full SPNEGO blob.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source3/smbd/negprot.c')
| -rw-r--r-- | source3/smbd/negprot.c | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index f1d2fc2545..a58744281c 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -24,8 +24,10 @@ #include "../libcli/auth/spnego.h" #include "serverid.h" #include "auth.h" +#include "ntlmssp_wrap.h" #include "messages.h" #include "smbprofile.h" +#include "auth/gensec/gensec.h" extern fstring remote_proto; @@ -187,6 +189,7 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn) DATA_BLOB blob_out = data_blob_null; nstring dos_name; fstring unix_name; + NTSTATUS status; #ifdef DEVELOPER size_t slen; #endif @@ -195,8 +198,29 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn) OID_NTLMSSP, NULL}; const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL}; + struct auth_ntlmssp_state *auth_ntlmssp_state; + + sconn->use_gensec_hook = false; + + /* See if we can get an SPNEGO blob out of the gensec hook (if auth_samba4 is loaded) */ + status = auth_ntlmssp_prepare(sconn->remote_address, + &auth_ntlmssp_state); + if (NT_STATUS_IS_OK(status)) { + status = auth_generic_start(auth_ntlmssp_state, GENSEC_OID_SPNEGO); + if (NT_STATUS_IS_OK(status)) { + status = auth_ntlmssp_update(auth_ntlmssp_state, ctx, + data_blob_null, &blob); + /* If we get the list of OIDs, the 'OK' answer + * is NT_STATUS_MORE_PROCESSING_REQUIRED */ + if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + sconn->use_gensec_hook = true; + } + } + TALLOC_FREE(auth_ntlmssp_state); + } sconn->smb1.negprot.spnego = true; + /* strangely enough, NT does not sent the single OID NTLMSSP when not a ADS member, it sends no OIDs at all @@ -210,7 +234,9 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn) */ - if (lp_security() != SEC_ADS && !USE_KERBEROS_KEYTAB) { + if (sconn->use_gensec_hook) { + /* blob initialised above */ + } else if (lp_security() != SEC_ADS && !USE_KERBEROS_KEYTAB) { #if 0 /* Code for PocketPC client */ blob = data_blob(guid, 16); |