diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2004-08-25 02:25:20 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:58:19 -0500 |
| commit | fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc (patch) | |
| tree | 608b29fcba6b323474690cd4adcc7f2a4bb5b117 /source4/libcli/auth/gensec_ntlmssp.c | |
| parent | b13a9a8f98469fffe0db4cce7e077390d35984a3 (diff) | |
| download | samba-fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc.tar.gz samba-fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc.tar.bz2 samba-fa5a99b7a6e4f9bffa82eed1393e8e5e1f6404dc.zip | |
r2041: Fix NTLMSSP RPC sealing, client -> win2k3 server.
The bug (found by tridge) is that Win2k3 is being tighter about the
NTLMSSP flags. If we don't negotiate sealing, we can't use it.
We now have a way to indicate to the GENSEC implementation mechanisms
what things we want for a connection.
Andrew Bartlett
(This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c)
Diffstat (limited to 'source4/libcli/auth/gensec_ntlmssp.c')
| -rw-r--r-- | source4/libcli/auth/gensec_ntlmssp.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/source4/libcli/auth/gensec_ntlmssp.c b/source4/libcli/auth/gensec_ntlmssp.c index 99247fb626..ae03bc88e6 100644 --- a/source4/libcli/auth/gensec_ntlmssp.c +++ b/source4/libcli/auth/gensec_ntlmssp.c @@ -179,6 +179,13 @@ static NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_secur return nt_status; } + if (gensec_security->want_features & GENSEC_WANT_SIGN) { + gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + } + if (gensec_security->want_features & GENSEC_WANT_SEAL) { + gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; + } + ntlmssp_state = gensec_ntlmssp_state->ntlmssp_state; if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&gensec_ntlmssp_state->auth_context))) { return nt_status; @@ -211,6 +218,25 @@ static NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_secur return status; } + if (gensec_security->want_features & GENSEC_WANT_SESSION_KEY) { + /* + * We need to set this to allow a later SetPassword + * via the SAMR pipe to succeed. Strange.... We could + * also add NTLMSSP_NEGOTIATE_SEAL here. JRA. + * + * Without this, Windows will not create the master key + * that it thinks is only used for NTLMSSP signing and + * sealing. (It is actually pulled out and used directly) + */ + gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + } + if (gensec_security->want_features & GENSEC_WANT_SIGN) { + gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN; + } + if (gensec_security->want_features & GENSEC_WANT_SEAL) { + gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; + } + status = ntlmssp_set_domain(gensec_ntlmssp_state->ntlmssp_state, gensec_security->user.domain); if (!NT_STATUS_IS_OK(status)) { |