summaryrefslogtreecommitdiff
path: root/source4/libcli
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2004-09-13 04:28:10 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:58:42 -0500
commitd2c14a5dc6117d6593aa03090ce7fa4c9ebc3359 (patch)
tree6be8599902ef9c12e4fcefb79f9db76b04793f96 /source4/libcli
parent4456f87dee1b9ee130f290ba9b7fb61a89b72333 (diff)
downloadsamba-d2c14a5dc6117d6593aa03090ce7fa4c9ebc3359.tar.gz
samba-d2c14a5dc6117d6593aa03090ce7fa4c9ebc3359.tar.bz2
samba-d2c14a5dc6117d6593aa03090ce7fa4c9ebc3359.zip
r2307: Fix the use of 'raw' NTLMSSP to hosts that support extended security,
but do not support SPNEGO (such as XP, when not joined to a domain). This is triggered by the presense or lack of a security blob in the negprot reply. Andrew Bartlett (This used to be commit 99f7a38c077725b22475f2ba68d0955114879c24)
Diffstat (limited to 'source4/libcli')
-rw-r--r--source4/libcli/auth/gensec.c11
-rw-r--r--source4/libcli/auth/spnego.c5
-rw-r--r--source4/libcli/raw/clisession.c29
3 files changed, 33 insertions, 12 deletions
diff --git a/source4/libcli/auth/gensec.c b/source4/libcli/auth/gensec.c
index a744f513dc..b7891ee53b 100644
--- a/source4/libcli/auth/gensec.c
+++ b/source4/libcli/auth/gensec.c
@@ -262,6 +262,17 @@ const char *gensec_get_name_by_authtype(uint8_t authtype)
}
+const char *gensec_get_name_by_oid(const char *oid)
+{
+ const struct gensec_security_ops *ops;
+ ops = gensec_security_by_oid(oid);
+ if (ops) {
+ return ops->name;
+ }
+ return NULL;
+}
+
+
/**
* Start a GENSEC sub-mechanism by OID, used in SPNEGO
*
diff --git a/source4/libcli/auth/spnego.c b/source4/libcli/auth/spnego.c
index f3ead5069d..696240f8d6 100644
--- a/source4/libcli/auth/spnego.c
+++ b/source4/libcli/auth/spnego.c
@@ -290,7 +290,8 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
null_data_blob,
unwrapped_out);
}
- if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) {
+ if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
+ && (!NT_STATUS_IS_OK(nt_status))) {
DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n",
spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
gensec_end(&spnego_state->sub_sec_security);
@@ -412,7 +413,7 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec
static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
- const DATA_BLOB in, DATA_BLOB *out)
+ const DATA_BLOB in, DATA_BLOB *out)
{
struct spnego_state *spnego_state = gensec_security->private_data;
DATA_BLOB null_data_blob = data_blob(NULL, 0);
diff --git a/source4/libcli/raw/clisession.c b/source4/libcli/raw/clisession.c
index 32be6b68ed..dcf32c8485 100644
--- a/source4/libcli/raw/clisession.c
+++ b/source4/libcli/raw/clisession.c
@@ -379,6 +379,7 @@ static NTSTATUS smb_raw_session_setup_generic_spnego(struct smbcli_session *sess
union smb_sesssetup s2;
DATA_BLOB session_key = data_blob(NULL, 0);
DATA_BLOB null_data_blob = data_blob(NULL, 0);
+ const char *chosen_oid;
s2.generic.level = RAW_SESSSETUP_SPNEGO;
s2.spnego.in.bufsize = ~0;
@@ -429,21 +430,25 @@ static NTSTATUS smb_raw_session_setup_generic_spnego(struct smbcli_session *sess
goto done;
}
- status = gensec_start_mech_by_oid(session->gensec, OID_SPNEGO);
+ if (session->transport->negotiate.secblob.length) {
+ chosen_oid = OID_SPNEGO;
+ } else {
+ /* without a sec blob, means raw NTLMSSP */
+ chosen_oid = OID_NTLMSSP;
+ }
+
+ status = gensec_start_mech_by_oid(session->gensec, chosen_oid);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism: %s\n",
- nt_errstr(status)));
+ DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism %s: %s\n",
+ gensec_get_name_by_oid(chosen_oid), nt_errstr(status)));
goto done;
}
-
+
status = gensec_update(session->gensec, mem_ctx,
- session->transport->negotiate.secblob,
- &s2.spnego.in.secblob);
+ session->transport->negotiate.secblob,
+ &s2.spnego.in.secblob);
while(1) {
- if (NT_STATUS_IS_OK(status) && s2.spnego.in.secblob.length == 0) {
- break;
- }
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) {
break;
}
@@ -455,6 +460,10 @@ static NTSTATUS smb_raw_session_setup_generic_spnego(struct smbcli_session *sess
smbcli_transport_simple_set_signing(session->transport, session_key, null_data_blob);
}
+ if (NT_STATUS_IS_OK(status) && s2.spnego.in.secblob.length == 0) {
+ break;
+ }
+
session->vuid = s2.spnego.out.vuid;
status = smb_raw_session_setup(session, mem_ctx, &s2);
session->vuid = UID_FIELD_INVALID;
@@ -483,7 +492,7 @@ done:
parms->generic.out.lanman = s2.spnego.out.lanman;
parms->generic.out.domain = s2.spnego.out.domain;
} else {
- DEBUG(1, ("Failed to login with SPNEGO: %s\n", nt_errstr(status)));
+ DEBUG(1, ("Failed to login with %s: %s\n", gensec_get_name_by_oid(chosen_oid), nt_errstr(status)));
return status;
}