summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2010-05-21 12:08:18 -0700
committerJeremy Allison <jra@samba.org>2010-05-21 12:08:18 -0700
commitefb29227fa46e2c9420b3158ef7422aea4f5846e (patch)
treedd01186f00c2390a771e0298f74eb5b9477cedbc /source3/smbd
parentf576cc5410a9074a769ca1fbf786a142449e6058 (diff)
downloadsamba-efb29227fa46e2c9420b3158ef7422aea4f5846e.tar.gz
samba-efb29227fa46e2c9420b3158ef7422aea4f5846e.tar.bz2
samba-efb29227fa46e2c9420b3158ef7422aea4f5846e.zip
Make krb5 over SMB2 identical to the way we handle it in SMB1.
Jeremy.
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/smb2_sesssetup.c52
1 files changed, 50 insertions, 2 deletions
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index ed5818951d..92e77a5ff2 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -516,7 +516,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
struct smbd_smb2_request *smb2req,
- uint8_t in_security_flags,
+ uint8_t in_security_mode,
DATA_BLOB in_security_buffer,
uint16_t *out_session_flags,
DATA_BLOB *out_security_buffer,
@@ -542,7 +542,7 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
USE_KERBEROS_KEYTAB) ) {
status = smbd_smb2_session_setup_krb5(session,
smb2req,
- in_security_flags,
+ in_security_mode,
&secblob_in,
kerb_mech,
out_session_flags,
@@ -706,6 +706,54 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
return NT_STATUS_LOGON_FAILURE;
}
+ if (auth.data[0] == ASN1_APPLICATION(0)) {
+ /* Might be a second negTokenTarg packet */
+ DATA_BLOB secblob_in = data_blob_null;
+ char *kerb_mech = NULL;
+
+ status = parse_spnego_mechanisms(in_security_buffer,
+ &secblob_in, &kerb_mech);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(session);
+ return status;
+ }
+
+#ifdef HAVE_KRB5
+ if (kerb_mech && ((lp_security()==SEC_ADS) ||
+ USE_KERBEROS_KEYTAB) ) {
+ status = smbd_smb2_session_setup_krb5(session,
+ smb2req,
+ in_security_mode,
+ &secblob_in,
+ kerb_mech,
+ out_session_flags,
+ out_security_buffer,
+ out_session_id);
+
+ data_blob_free(&secblob_in);
+ SAFE_FREE(kerb_mech);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(session);
+ }
+ return status;
+ }
+#endif
+
+ /* Can't blunder into NTLMSSP auth if we have
+ * a krb5 ticket. */
+
+ if (kerb_mech) {
+ DEBUG(3,("smb2: network "
+ "misconfiguration, client sent us a "
+ "krb5 ticket and kerberos security "
+ "not enabled\n"));
+ TALLOC_FREE(session);
+ data_blob_free(&secblob_in);
+ SAFE_FREE(kerb_mech);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+
status = auth_ntlmssp_update(session->auth_ntlmssp_state,
auth,
&auth_out);