summaryrefslogtreecommitdiff
path: root/source4/libcli/auth/gensec_ntlmssp.c
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2004-08-25 02:25:20 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:58:19 -0500
commitfa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc (patch)
tree608b29fcba6b323474690cd4adcc7f2a4bb5b117 /source4/libcli/auth/gensec_ntlmssp.c
parentb13a9a8f98469fffe0db4cce7e077390d35984a3 (diff)
downloadsamba-fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc.tar.gz
samba-fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc.tar.bz2
samba-fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc.zip
r2041: Fix NTLMSSP RPC sealing, client -> win2k3 server.
The bug (found by tridge) is that Win2k3 is being tighter about the NTLMSSP flags. If we don't negotiate sealing, we can't use it. We now have a way to indicate to the GENSEC implementation mechanisms what things we want for a connection. Andrew Bartlett (This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c)
Diffstat (limited to 'source4/libcli/auth/gensec_ntlmssp.c')
-rw-r--r--source4/libcli/auth/gensec_ntlmssp.c26
1 files changed, 26 insertions, 0 deletions
diff --git a/source4/libcli/auth/gensec_ntlmssp.c b/source4/libcli/auth/gensec_ntlmssp.c
index 99247fb626..ae03bc88e6 100644
--- a/source4/libcli/auth/gensec_ntlmssp.c
+++ b/source4/libcli/auth/gensec_ntlmssp.c
@@ -179,6 +179,13 @@ static NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_secur
return nt_status;
}
+ if (gensec_security->want_features & GENSEC_WANT_SIGN) {
+ gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ }
+ if (gensec_security->want_features & GENSEC_WANT_SEAL) {
+ gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
+ }
+
ntlmssp_state = gensec_ntlmssp_state->ntlmssp_state;
if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&gensec_ntlmssp_state->auth_context))) {
return nt_status;
@@ -211,6 +218,25 @@ static NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_secur
return status;
}
+ if (gensec_security->want_features & GENSEC_WANT_SESSION_KEY) {
+ /*
+ * We need to set this to allow a later SetPassword
+ * via the SAMR pipe to succeed. Strange.... We could
+ * also add NTLMSSP_NEGOTIATE_SEAL here. JRA.
+ *
+ * Without this, Windows will not create the master key
+ * that it thinks is only used for NTLMSSP signing and
+ * sealing. (It is actually pulled out and used directly)
+ */
+ gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ }
+ if (gensec_security->want_features & GENSEC_WANT_SIGN) {
+ gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+ }
+ if (gensec_security->want_features & GENSEC_WANT_SEAL) {
+ gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
+ }
+
status = ntlmssp_set_domain(gensec_ntlmssp_state->ntlmssp_state,
gensec_security->user.domain);
if (!NT_STATUS_IS_OK(status)) {