diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-07-26 15:11:47 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-08-03 18:48:04 +1000 |
commit | d3524f2eaeef06059fcdc7af5b742cd46064fd20 (patch) | |
tree | 6dca681b7d39f74d78e2ce51bf67e2c77aaff365 /source3/smbd/smb2_sesssetup.c | |
parent | 9f663270fd7d40dbaf258fe6818685d42249a827 (diff) | |
download | samba-d3524f2eaeef06059fcdc7af5b742cd46064fd20.tar.gz samba-d3524f2eaeef06059fcdc7af5b742cd46064fd20.tar.bz2 samba-d3524f2eaeef06059fcdc7af5b742cd46064fd20.zip |
s3-auth use auth_generic_start to get full GENSEC in Samba3 session setup
This tests if the auth_generic_start() hook is available on the auth
context during the negprot, and if so it uses auth_generic_start() to
hook to GENSEC to handle the full SPNEGO blob.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source3/smbd/smb2_sesssetup.c')
-rw-r--r-- | source3/smbd/smb2_sesssetup.c | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index a3283117b4..d1022cd2cf 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -25,6 +25,7 @@ #include "../libcli/smb/smb_common.h" #include "../libcli/auth/spnego.h" #include "../libcli/auth/ntlmssp.h" +#include "../auth/gensec/gensec.h" #include "ntlmssp_wrap.h" #include "../librpc/gen_ndr/krb5pac.h" #include "libads/kerberos_proto.h" @@ -649,7 +650,11 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session, auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY); - status = auth_ntlmssp_start(session->auth_ntlmssp_state); + if (session->sconn->use_gensec_hook) { + status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_SPNEGO); + } else { + status = auth_ntlmssp_start(session->auth_ntlmssp_state); + } if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session); return status; @@ -742,24 +747,30 @@ static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req, return NT_STATUS_REQUEST_NOT_ACCEPTED; } - if (in_security_buffer.data[0] == ASN1_APPLICATION(0)) { - return smbd_smb2_spnego_negotiate(session, + /* Handle either raw NTLMSSP or hand off the whole blob to + * GENSEC. The processing at this layer is essentially + * identical regardless. In particular, both rely only on the + * status code (not the contents of the packet) and do not + * wrap the result */ + if (session->sconn->use_gensec_hook + || (in_security_buffer.length > 7 && strncmp((char *)(in_security_buffer.data), "NTLMSSP", 7) == 0)) { + return smbd_smb2_raw_ntlmssp_auth(session, smb2req, in_security_mode, in_security_buffer, out_session_flags, out_security_buffer, out_session_id); - } else if (in_security_buffer.data[0] == ASN1_CONTEXT(1)) { - return smbd_smb2_spnego_auth(session, + } else if (in_security_buffer.data[0] == ASN1_APPLICATION(0)) { + return smbd_smb2_spnego_negotiate(session, smb2req, in_security_mode, in_security_buffer, out_session_flags, out_security_buffer, out_session_id); - } else if (in_security_buffer.length > 7 && strncmp((char *)(in_security_buffer.data), "NTLMSSP", 7) == 0) { - return smbd_smb2_raw_ntlmssp_auth(session, + } else if (in_security_buffer.data[0] == ASN1_CONTEXT(1)) { + return smbd_smb2_spnego_auth(session, smb2req, in_security_mode, in_security_buffer, |