summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-05-07 19:36:06 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:05:43 -0500
commite9c7016699c61b4d21341b639bbe4291dcd21872 (patch)
tree0b624c39e56dbb88b1d102f30bd04140eb805aca /source4
parentbbc6e216bdc858e70bfdebbab69d96c7dd23c3d2 (diff)
downloadsamba-e9c7016699c61b4d21341b639bbe4291dcd21872.tar.gz
samba-e9c7016699c61b4d21341b639bbe4291dcd21872.tar.bz2
samba-e9c7016699c61b4d21341b639bbe4291dcd21872.zip
r15503: I may shortly have to revert all of this, but be clearer about how we
handle the NTLMSSP and wrong password fallbacks. Andrew Bartlett (This used to be commit dbf51ea985e0b300631e2070e91d4d901c784c44)
Diffstat (limited to 'source4')
-rw-r--r--source4/librpc/rpc/dcerpc_util.c27
1 files changed, 13 insertions, 14 deletions
diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
index 158c5e3fe0..5b341b9359 100644
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -976,7 +976,7 @@ struct pipe_auth_state {
struct dcerpc_binding *binding;
const struct dcerpc_interface_table *table;
struct cli_credentials *credentials;
- uint8_t next_auth_type;
+ uint8_t auth_type;
BOOL try_ntlm_fallback;
};
@@ -1011,10 +1011,12 @@ static void continue_recv_bind(struct composite_context *ctx)
struct pipe_auth_state *s = talloc_get_type(c->private_data, struct pipe_auth_state);
status = dcerpc_bind_auth_recv(ctx);
- if (s->try_ntlm_fallback && NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
+ if (s->auth_type == DCERPC_AUTH_TYPE_SPNEGO
+ && s->try_ntlm_fallback
+ && NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
struct composite_context *sec_conn_req;
s->try_ntlm_fallback = False;
- s->next_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
+ s->auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
/* send a request for secondary rpc connection */
sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
s->binding);
@@ -1023,10 +1025,9 @@ static void continue_recv_bind(struct composite_context *ctx)
composite_continue(c, sec_conn_req, continue_new_auth_bind, c);
return;
- } else if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ } else if (s->auth_type == DCERPC_AUTH_TYPE_SPNEGO && NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
struct composite_context *sec_conn_req;
if (cli_credentials_wrong_password(s->credentials)) {
- s->next_auth_type = DCERPC_AUTH_TYPE_SPNEGO;
/* send a request for secondary rpc connection */
sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
s->binding);
@@ -1070,7 +1071,7 @@ static void continue_new_auth_bind(struct composite_context *ctx)
/* initiate a authenticated bind */
auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
- s->credentials, s->next_auth_type,
+ s->credentials, s->auth_type,
dcerpc_auth_level(s->pipe->conn),
s->table->authservices->names[0]);
if (composite_nomem(auth_req, c)) return;
@@ -1157,8 +1158,6 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
* connection is not signed or sealed. For that case
* we rely on the already authenticated CIFS connection
*/
-
- uint8_t auth_type;
if ((conn->flags & (DCERPC_SIGN|DCERPC_SEAL)) == 0) {
/*
@@ -1172,23 +1171,23 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
}
if (s->binding->flags & DCERPC_AUTH_SPNEGO) {
- auth_type = DCERPC_AUTH_TYPE_SPNEGO;
+ s->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
} else if (s->binding->flags & DCERPC_AUTH_KRB5) {
- auth_type = DCERPC_AUTH_TYPE_KRB5;
+ s->auth_type = DCERPC_AUTH_TYPE_KRB5;
} else if (s->binding->flags & DCERPC_SCHANNEL) {
- auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
+ s->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
} else if (s->binding->flags & DCERPC_AUTH_NTLM) {
- auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
+ s->auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
} else {
- auth_type = DCERPC_AUTH_TYPE_SPNEGO;
+ s->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
s->try_ntlm_fallback = True;
}
auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
- s->credentials, DCERPC_AUTH_TYPE_SPNEGO,
+ s->credentials, s->auth_type,
dcerpc_auth_level(conn),
s->table->authservices->names[0]);
if (composite_nomem(auth_req, c)) return c;