diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-05-07 19:36:06 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:05:43 -0500 |
commit | e9c7016699c61b4d21341b639bbe4291dcd21872 (patch) | |
tree | 0b624c39e56dbb88b1d102f30bd04140eb805aca /source4/librpc | |
parent | bbc6e216bdc858e70bfdebbab69d96c7dd23c3d2 (diff) | |
download | samba-e9c7016699c61b4d21341b639bbe4291dcd21872.tar.gz samba-e9c7016699c61b4d21341b639bbe4291dcd21872.tar.bz2 samba-e9c7016699c61b4d21341b639bbe4291dcd21872.zip |
r15503: I may shortly have to revert all of this, but be clearer about how we
handle the NTLMSSP and wrong password fallbacks.
Andrew Bartlett
(This used to be commit dbf51ea985e0b300631e2070e91d4d901c784c44)
Diffstat (limited to 'source4/librpc')
-rw-r--r-- | source4/librpc/rpc/dcerpc_util.c | 27 |
1 files changed, 13 insertions, 14 deletions
diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index 158c5e3fe0..5b341b9359 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -976,7 +976,7 @@ struct pipe_auth_state { struct dcerpc_binding *binding; const struct dcerpc_interface_table *table; struct cli_credentials *credentials; - uint8_t next_auth_type; + uint8_t auth_type; BOOL try_ntlm_fallback; }; @@ -1011,10 +1011,12 @@ static void continue_recv_bind(struct composite_context *ctx) struct pipe_auth_state *s = talloc_get_type(c->private_data, struct pipe_auth_state); status = dcerpc_bind_auth_recv(ctx); - if (s->try_ntlm_fallback && NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { + if (s->auth_type == DCERPC_AUTH_TYPE_SPNEGO + && s->try_ntlm_fallback + && NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { struct composite_context *sec_conn_req; s->try_ntlm_fallback = False; - s->next_auth_type = DCERPC_AUTH_TYPE_NTLMSSP; + s->auth_type = DCERPC_AUTH_TYPE_NTLMSSP; /* send a request for secondary rpc connection */ sec_conn_req = dcerpc_secondary_connection_send(s->pipe, s->binding); @@ -1023,10 +1025,9 @@ static void continue_recv_bind(struct composite_context *ctx) composite_continue(c, sec_conn_req, continue_new_auth_bind, c); return; - } else if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { + } else if (s->auth_type == DCERPC_AUTH_TYPE_SPNEGO && NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { struct composite_context *sec_conn_req; if (cli_credentials_wrong_password(s->credentials)) { - s->next_auth_type = DCERPC_AUTH_TYPE_SPNEGO; /* send a request for secondary rpc connection */ sec_conn_req = dcerpc_secondary_connection_send(s->pipe, s->binding); @@ -1070,7 +1071,7 @@ static void continue_new_auth_bind(struct composite_context *ctx) /* initiate a authenticated bind */ auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, - s->credentials, s->next_auth_type, + s->credentials, s->auth_type, dcerpc_auth_level(s->pipe->conn), s->table->authservices->names[0]); if (composite_nomem(auth_req, c)) return; @@ -1157,8 +1158,6 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p, * connection is not signed or sealed. For that case * we rely on the already authenticated CIFS connection */ - - uint8_t auth_type; if ((conn->flags & (DCERPC_SIGN|DCERPC_SEAL)) == 0) { /* @@ -1172,23 +1171,23 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p, } if (s->binding->flags & DCERPC_AUTH_SPNEGO) { - auth_type = DCERPC_AUTH_TYPE_SPNEGO; + s->auth_type = DCERPC_AUTH_TYPE_SPNEGO; } else if (s->binding->flags & DCERPC_AUTH_KRB5) { - auth_type = DCERPC_AUTH_TYPE_KRB5; + s->auth_type = DCERPC_AUTH_TYPE_KRB5; } else if (s->binding->flags & DCERPC_SCHANNEL) { - auth_type = DCERPC_AUTH_TYPE_SCHANNEL; + s->auth_type = DCERPC_AUTH_TYPE_SCHANNEL; } else if (s->binding->flags & DCERPC_AUTH_NTLM) { - auth_type = DCERPC_AUTH_TYPE_NTLMSSP; + s->auth_type = DCERPC_AUTH_TYPE_NTLMSSP; } else { - auth_type = DCERPC_AUTH_TYPE_SPNEGO; + s->auth_type = DCERPC_AUTH_TYPE_SPNEGO; s->try_ntlm_fallback = True; } auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, - s->credentials, DCERPC_AUTH_TYPE_SPNEGO, + s->credentials, s->auth_type, dcerpc_auth_level(conn), s->table->authservices->names[0]); if (composite_nomem(auth_req, c)) return c; |