diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2011-07-26 15:11:47 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2011-08-03 18:48:04 +1000 |
| commit | d3524f2eaeef06059fcdc7af5b742cd46064fd20 (patch) | |
| tree | 6dca681b7d39f74d78e2ce51bf67e2c77aaff365 /source3/smbd/sesssetup.c | |
| parent | 9f663270fd7d40dbaf258fe6818685d42249a827 (diff) | |
| download | samba-d3524f2eaeef06059fcdc7af5b742cd46064fd20.tar.gz samba-d3524f2eaeef06059fcdc7af5b742cd46064fd20.tar.bz2 samba-d3524f2eaeef06059fcdc7af5b742cd46064fd20.zip | |
s3-auth use auth_generic_start to get full GENSEC in Samba3 session setup
This tests if the auth_generic_start() hook is available on the auth
context during the negprot, and if so it uses auth_generic_start() to
hook to GENSEC to handle the full SPNEGO blob.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source3/smbd/sesssetup.c')
| -rw-r--r-- | source3/smbd/sesssetup.c | 54 |
1 files changed, 32 insertions, 22 deletions
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 2f3bbd6171..020c62cad8 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -36,6 +36,7 @@ #include "messages.h" #include "smbprofile.h" #include "../libcli/security/security.h" +#include "auth/gensec/gensec.h" /* For split krb5 SPNEGO blobs. */ struct pending_auth_data { @@ -1134,27 +1135,12 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) return; } - if (blob1.data[0] == ASN1_APPLICATION(0)) { - - /* its a negTokenTarg packet */ - - reply_spnego_negotiate(req, vuid, blob1, - &vuser->auth_ntlmssp_state); - data_blob_free(&blob1); - return; - } - - if (blob1.data[0] == ASN1_CONTEXT(1)) { - - /* its a auth packet */ - - reply_spnego_auth(req, vuid, blob1, - &vuser->auth_ntlmssp_state); - data_blob_free(&blob1); - return; - } - - if (blob1.length > 7 && strncmp((char *)(blob1.data), "NTLMSSP", 7) == 0) { + /* Handle either raw NTLMSSP or hand off the whole blob to + * GENSEC. The processing at this layer is essentially + * identical regardless. In particular, both rely only on the + * status code (not the contents of the packet) and do not + * wrap the result */ + if (sconn->use_gensec_hook || (blob1.length > 7 && strncmp((char *)(blob1.data), "NTLMSSP", 7) == 0)) { DATA_BLOB chal; if (!vuser->auth_ntlmssp_state) { @@ -1170,7 +1156,11 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) auth_ntlmssp_want_feature(vuser->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY); - status = auth_ntlmssp_start(vuser->auth_ntlmssp_state); + if (sconn->use_gensec_hook) { + status = auth_generic_start(vuser->auth_ntlmssp_state, GENSEC_OID_SPNEGO); + } else { + status = auth_ntlmssp_start(vuser->auth_ntlmssp_state); + } if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ invalidate_vuid(sconn, vuid); @@ -1193,6 +1183,26 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) return; } + if (blob1.data[0] == ASN1_APPLICATION(0)) { + + /* its a negTokenTarg packet */ + + reply_spnego_negotiate(req, vuid, blob1, + &vuser->auth_ntlmssp_state); + data_blob_free(&blob1); + return; + } + + if (blob1.data[0] == ASN1_CONTEXT(1)) { + + /* its a auth packet */ + + reply_spnego_auth(req, vuid, blob1, + &vuser->auth_ntlmssp_state); + data_blob_free(&blob1); + return; + } + /* what sort of packet is this? */ DEBUG(1,("Unknown packet in reply_sesssetup_and_X_spnego\n")); |