diff options
author | Jeremy Allison <jra@samba.org> | 2010-06-03 11:18:11 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2010-06-03 11:18:11 -0700 |
commit | e47d77832b70b539ce3e898da458227dd0b853b6 (patch) | |
tree | 93a61de908a38e9215f9d3e3e6cc2de31f827150 /source3/smbd | |
parent | e65164ff482100c2590d724373aff11daffc7b50 (diff) | |
download | samba-e47d77832b70b539ce3e898da458227dd0b853b6.tar.gz samba-e47d77832b70b539ce3e898da458227dd0b853b6.tar.bz2 samba-e47d77832b70b539ce3e898da458227dd0b853b6.zip |
Found by Guenther - fix up our fallback paths from krb5 to NTLMSSP when using SMB2.
Jeremy.
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/smb2_sesssetup.c | 37 |
1 files changed, 29 insertions, 8 deletions
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 88454c1222..757618ea2d 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -553,15 +553,25 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session, } #endif - /* Fall back to NTLMSSP. */ - status = auth_ntlmssp_start(&session->auth_ntlmssp_state); - if (!NT_STATUS_IS_OK(status)) { - goto out; - } + if (kerb_mech) { + /* The mechtoken is a krb5 ticket, but + * we need to fall back to NTLM. */ - status = auth_ntlmssp_update(session->auth_ntlmssp_state, - secblob_in, - &chal_out); + DEBUG(3,("smb2: Got krb5 ticket in SPNEGO " + "but set to downgrade to NTLMSSP\n")); + + status = NT_STATUS_MORE_PROCESSING_REQUIRED; + } else { + /* Fall back to NTLMSSP. */ + status = auth_ntlmssp_start(&session->auth_ntlmssp_state); + if (!NT_STATUS_IS_OK(status)) { + goto out; + } + + status = auth_ntlmssp_update(session->auth_ntlmssp_state, + secblob_in, + &chal_out); + } if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, @@ -744,6 +754,17 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session, SAFE_FREE(kerb_mech); return NT_STATUS_LOGON_FAILURE; } + + data_blob_free(&secblob_in); + } + + if (session->auth_ntlmssp_state == NULL) { + status = auth_ntlmssp_start(&session->auth_ntlmssp_state); + if (!NT_STATUS_IS_OK(status)) { + data_blob_free(&auth); + TALLOC_FREE(session); + return status; + } } status = auth_ntlmssp_update(session->auth_ntlmssp_state, |