summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2010-06-03 11:18:11 -0700
committerJeremy Allison <jra@samba.org>2010-06-03 11:18:11 -0700
commite47d77832b70b539ce3e898da458227dd0b853b6 (patch)
tree93a61de908a38e9215f9d3e3e6cc2de31f827150 /source3/smbd
parente65164ff482100c2590d724373aff11daffc7b50 (diff)
downloadsamba-e47d77832b70b539ce3e898da458227dd0b853b6.tar.gz
samba-e47d77832b70b539ce3e898da458227dd0b853b6.tar.bz2
samba-e47d77832b70b539ce3e898da458227dd0b853b6.zip
Found by Guenther - fix up our fallback paths from krb5 to NTLMSSP when using SMB2.
Jeremy.
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/smb2_sesssetup.c37
1 files changed, 29 insertions, 8 deletions
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 88454c1222..757618ea2d 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -553,15 +553,25 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
}
#endif
- /* Fall back to NTLMSSP. */
- status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
- if (!NT_STATUS_IS_OK(status)) {
- goto out;
- }
+ if (kerb_mech) {
+ /* The mechtoken is a krb5 ticket, but
+ * we need to fall back to NTLM. */
- status = auth_ntlmssp_update(session->auth_ntlmssp_state,
- secblob_in,
- &chal_out);
+ DEBUG(3,("smb2: Got krb5 ticket in SPNEGO "
+ "but set to downgrade to NTLMSSP\n"));
+
+ status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ } else {
+ /* Fall back to NTLMSSP. */
+ status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ status = auth_ntlmssp_update(session->auth_ntlmssp_state,
+ secblob_in,
+ &chal_out);
+ }
if (!NT_STATUS_IS_OK(status) &&
!NT_STATUS_EQUAL(status,
@@ -744,6 +754,17 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
SAFE_FREE(kerb_mech);
return NT_STATUS_LOGON_FAILURE;
}
+
+ data_blob_free(&secblob_in);
+ }
+
+ if (session->auth_ntlmssp_state == NULL) {
+ status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ data_blob_free(&auth);
+ TALLOC_FREE(session);
+ return status;
+ }
}
status = auth_ntlmssp_update(session->auth_ntlmssp_state,