diff options
| author | Jeremy Allison <jra@samba.org> | 2010-05-21 12:08:18 -0700 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2010-05-21 12:08:18 -0700 |
| commit | efb29227fa46e2c9420b3158ef7422aea4f5846e (patch) | |
| tree | dd01186f00c2390a771e0298f74eb5b9477cedbc /source3/smbd | |
| parent | f576cc5410a9074a769ca1fbf786a142449e6058 (diff) | |
| download | samba-efb29227fa46e2c9420b3158ef7422aea4f5846e.tar.gz samba-efb29227fa46e2c9420b3158ef7422aea4f5846e.tar.bz2 samba-efb29227fa46e2c9420b3158ef7422aea4f5846e.zip | |
Make krb5 over SMB2 identical to the way we handle it in SMB1.
Jeremy.
Diffstat (limited to 'source3/smbd')
| -rw-r--r-- | source3/smbd/smb2_sesssetup.c | 52 |
1 files changed, 50 insertions, 2 deletions
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index ed5818951d..92e77a5ff2 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -516,7 +516,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session, struct smbd_smb2_request *smb2req, - uint8_t in_security_flags, + uint8_t in_security_mode, DATA_BLOB in_security_buffer, uint16_t *out_session_flags, DATA_BLOB *out_security_buffer, @@ -542,7 +542,7 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session, USE_KERBEROS_KEYTAB) ) { status = smbd_smb2_session_setup_krb5(session, smb2req, - in_security_flags, + in_security_mode, &secblob_in, kerb_mech, out_session_flags, @@ -706,6 +706,54 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session, return NT_STATUS_LOGON_FAILURE; } + if (auth.data[0] == ASN1_APPLICATION(0)) { + /* Might be a second negTokenTarg packet */ + DATA_BLOB secblob_in = data_blob_null; + char *kerb_mech = NULL; + + status = parse_spnego_mechanisms(in_security_buffer, + &secblob_in, &kerb_mech); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(session); + return status; + } + +#ifdef HAVE_KRB5 + if (kerb_mech && ((lp_security()==SEC_ADS) || + USE_KERBEROS_KEYTAB) ) { + status = smbd_smb2_session_setup_krb5(session, + smb2req, + in_security_mode, + &secblob_in, + kerb_mech, + out_session_flags, + out_security_buffer, + out_session_id); + + data_blob_free(&secblob_in); + SAFE_FREE(kerb_mech); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(session); + } + return status; + } +#endif + + /* Can't blunder into NTLMSSP auth if we have + * a krb5 ticket. */ + + if (kerb_mech) { + DEBUG(3,("smb2: network " + "misconfiguration, client sent us a " + "krb5 ticket and kerberos security " + "not enabled\n")); + TALLOC_FREE(session); + data_blob_free(&secblob_in); + SAFE_FREE(kerb_mech); + return NT_STATUS_LOGON_FAILURE; + } + } + status = auth_ntlmssp_update(session->auth_ntlmssp_state, auth, &auth_out); |