diff options
author | Andrew Bartlett <abartlet@samba.org> | 2004-09-13 04:28:10 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:58:42 -0500 |
commit | d2c14a5dc6117d6593aa03090ce7fa4c9ebc3359 (patch) | |
tree | 6be8599902ef9c12e4fcefb79f9db76b04793f96 /source4 | |
parent | 4456f87dee1b9ee130f290ba9b7fb61a89b72333 (diff) | |
download | samba-d2c14a5dc6117d6593aa03090ce7fa4c9ebc3359.tar.gz samba-d2c14a5dc6117d6593aa03090ce7fa4c9ebc3359.tar.bz2 samba-d2c14a5dc6117d6593aa03090ce7fa4c9ebc3359.zip |
r2307: Fix the use of 'raw' NTLMSSP to hosts that support extended security,
but do not support SPNEGO (such as XP, when not joined to a domain).
This is triggered by the presense or lack of a security blob in the
negprot reply.
Andrew Bartlett
(This used to be commit 99f7a38c077725b22475f2ba68d0955114879c24)
Diffstat (limited to 'source4')
-rw-r--r-- | source4/libcli/auth/gensec.c | 11 | ||||
-rw-r--r-- | source4/libcli/auth/spnego.c | 5 | ||||
-rw-r--r-- | source4/libcli/raw/clisession.c | 29 |
3 files changed, 33 insertions, 12 deletions
diff --git a/source4/libcli/auth/gensec.c b/source4/libcli/auth/gensec.c index a744f513dc..b7891ee53b 100644 --- a/source4/libcli/auth/gensec.c +++ b/source4/libcli/auth/gensec.c @@ -262,6 +262,17 @@ const char *gensec_get_name_by_authtype(uint8_t authtype) } +const char *gensec_get_name_by_oid(const char *oid) +{ + const struct gensec_security_ops *ops; + ops = gensec_security_by_oid(oid); + if (ops) { + return ops->name; + } + return NULL; +} + + /** * Start a GENSEC sub-mechanism by OID, used in SPNEGO * diff --git a/source4/libcli/auth/spnego.c b/source4/libcli/auth/spnego.c index f3ead5069d..696240f8d6 100644 --- a/source4/libcli/auth/spnego.c +++ b/source4/libcli/auth/spnego.c @@ -290,7 +290,8 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ null_data_blob, unwrapped_out); } - if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(nt_status)) { + if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED) + && (!NT_STATUS_IS_OK(nt_status))) { DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed: %s\n", spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status))); gensec_end(&spnego_state->sub_sec_security); @@ -412,7 +413,7 @@ static NTSTATUS gensec_spnego_server_negTokenTarg(struct gensec_security *gensec static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, - const DATA_BLOB in, DATA_BLOB *out) + const DATA_BLOB in, DATA_BLOB *out) { struct spnego_state *spnego_state = gensec_security->private_data; DATA_BLOB null_data_blob = data_blob(NULL, 0); diff --git a/source4/libcli/raw/clisession.c b/source4/libcli/raw/clisession.c index 32be6b68ed..dcf32c8485 100644 --- a/source4/libcli/raw/clisession.c +++ b/source4/libcli/raw/clisession.c @@ -379,6 +379,7 @@ static NTSTATUS smb_raw_session_setup_generic_spnego(struct smbcli_session *sess union smb_sesssetup s2; DATA_BLOB session_key = data_blob(NULL, 0); DATA_BLOB null_data_blob = data_blob(NULL, 0); + const char *chosen_oid; s2.generic.level = RAW_SESSSETUP_SPNEGO; s2.spnego.in.bufsize = ~0; @@ -429,21 +430,25 @@ static NTSTATUS smb_raw_session_setup_generic_spnego(struct smbcli_session *sess goto done; } - status = gensec_start_mech_by_oid(session->gensec, OID_SPNEGO); + if (session->transport->negotiate.secblob.length) { + chosen_oid = OID_SPNEGO; + } else { + /* without a sec blob, means raw NTLMSSP */ + chosen_oid = OID_NTLMSSP; + } + + status = gensec_start_mech_by_oid(session->gensec, chosen_oid); if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism: %s\n", - nt_errstr(status))); + DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism %s: %s\n", + gensec_get_name_by_oid(chosen_oid), nt_errstr(status))); goto done; } - + status = gensec_update(session->gensec, mem_ctx, - session->transport->negotiate.secblob, - &s2.spnego.in.secblob); + session->transport->negotiate.secblob, + &s2.spnego.in.secblob); while(1) { - if (NT_STATUS_IS_OK(status) && s2.spnego.in.secblob.length == 0) { - break; - } if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) { break; } @@ -455,6 +460,10 @@ static NTSTATUS smb_raw_session_setup_generic_spnego(struct smbcli_session *sess smbcli_transport_simple_set_signing(session->transport, session_key, null_data_blob); } + if (NT_STATUS_IS_OK(status) && s2.spnego.in.secblob.length == 0) { + break; + } + session->vuid = s2.spnego.out.vuid; status = smb_raw_session_setup(session, mem_ctx, &s2); session->vuid = UID_FIELD_INVALID; @@ -483,7 +492,7 @@ done: parms->generic.out.lanman = s2.spnego.out.lanman; parms->generic.out.domain = s2.spnego.out.domain; } else { - DEBUG(1, ("Failed to login with SPNEGO: %s\n", nt_errstr(status))); + DEBUG(1, ("Failed to login with %s: %s\n", gensec_get_name_by_oid(chosen_oid), nt_errstr(status))); return status; } |