diff options
Diffstat (limited to 'source3/libsmb')
-rw-r--r-- | source3/libsmb/cliconnect.c | 65 | ||||
-rw-r--r-- | source3/libsmb/clidfs.c | 11 | ||||
-rw-r--r-- | source3/libsmb/libsmbclient.c | 16 | ||||
-rw-r--r-- | source3/libsmb/passchange.c | 39 |
4 files changed, 71 insertions, 60 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index d547bb3854..ae00dc5489 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -802,11 +802,11 @@ ntlmssp: password is in plaintext, the same should be done. ****************************************************************************/ -BOOL cli_session_setup(struct cli_state *cli, - const char *user, - const char *pass, int passlen, - const char *ntpass, int ntpasslen, - const char *workgroup) +NTSTATUS cli_session_setup(struct cli_state *cli, + const char *user, + const char *pass, int passlen, + const char *ntpass, int ntpasslen, + const char *workgroup) { char *p; fstring user2; @@ -820,8 +820,9 @@ BOOL cli_session_setup(struct cli_state *cli, workgroup = user2; } - if (cli->protocol < PROTOCOL_LANMAN1) - return True; + if (cli->protocol < PROTOCOL_LANMAN1) { + return NT_STATUS_OK; + } /* now work out what sort of session setup we are going to do. I have split this into separate functions to make the @@ -833,31 +834,34 @@ BOOL cli_session_setup(struct cli_state *cli, if (!lp_client_lanman_auth() && passlen != 24 && (*pass)) { DEBUG(1, ("Server requested LM password but 'client lanman auth'" " is disabled\n")); - return False; + return NT_STATUS_ACCESS_DENIED; } if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0 && !lp_client_plaintext_auth() && (*pass)) { DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'" " is disabled\n")); - return False; + return NT_STATUS_ACCESS_DENIED; } - return cli_session_setup_lanman2(cli, user, pass, passlen, workgroup); + return cli_session_setup_lanman2(cli, user, pass, passlen, workgroup) ? + NT_STATUS_OK : cli_nt_error(cli); } /* if no user is supplied then we have to do an anonymous connection. passwords are ignored */ if (!user || !*user) - return cli_session_setup_guest(cli); + return cli_session_setup_guest(cli) ? + NT_STATUS_OK : cli_nt_error(cli); /* if the server is share level then send a plaintext null password at this point. The password is sent in the tree connect */ if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) - return cli_session_setup_plaintext(cli, user, "", workgroup); + return cli_session_setup_plaintext(cli, user, "", workgroup) ? + NT_STATUS_OK : cli_nt_error(cli); /* if the server doesn't support encryption then we have to use plaintext. The second password is ignored */ @@ -866,9 +870,10 @@ BOOL cli_session_setup(struct cli_state *cli, if (!lp_client_plaintext_auth() && (*pass)) { DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'" " is disabled\n")); - return False; + return NT_STATUS_ACCESS_DENIED; } - return cli_session_setup_plaintext(cli, user, pass, workgroup); + return cli_session_setup_plaintext(cli, user, pass, workgroup) ? + NT_STATUS_OK : cli_nt_error(cli); } /* if the server supports extended security then use SPNEGO */ @@ -877,13 +882,13 @@ BOOL cli_session_setup(struct cli_state *cli, ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, workgroup); if (!ADS_ERR_OK(status)) { DEBUG(3, ("SPNEGO login failed: %s\n", ads_errstr(status))); - return False; + return ads_ntstatus(status); } } else { /* otherwise do a NT1 style session setup */ if ( !cli_session_setup_nt1(cli, user, pass, passlen, ntpass, ntpasslen, workgroup) ) { DEBUG(3,("cli_session_setup: NT1 session setup failed!\n")); - return False; + return cli_nt_error(cli); } } @@ -891,7 +896,7 @@ BOOL cli_session_setup(struct cli_state *cli, cli->is_samba = True; } - return True; + return NT_STATUS_OK; } @@ -1510,20 +1515,26 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, return nt_status; } - if (!cli_session_setup(cli, user, password, pw_len, password, pw_len, domain)) { - if ((flags & CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK) - && cli_session_setup(cli, "", "", 0, "", 0, domain)) { - } else { - nt_status = cli_nt_error(cli); - DEBUG(1,("failed session setup with %s\n", nt_errstr(nt_status))); + nt_status = cli_session_setup(cli, user, password, pw_len, password, + pw_len, domain); + if (!NT_STATUS_IS_OK(nt_status)) { + + if (!(flags & CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK)) { + DEBUG(1,("failed session setup with %s\n", + nt_errstr(nt_status))); cli_shutdown(cli); - if (NT_STATUS_IS_OK(nt_status)) { - nt_status = NT_STATUS_UNSUCCESSFUL; - } return nt_status; } - } + nt_status = cli_session_setup(cli, "", "", 0, "", 0, domain); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1,("anonymous failed session setup with %s\n", + nt_errstr(nt_status))); + cli_shutdown(cli); + return nt_status; + } + } + if (service) { if (!cli_send_tconX(cli, service, service_type, password, pw_len)) { nt_status = cli_nt_error(cli); diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c index 0135881021..916e4cefc6 100644 --- a/source3/libsmb/clidfs.c +++ b/source3/libsmb/clidfs.c @@ -127,13 +127,14 @@ static struct cli_state *do_connect( const char *server, const char *share, } } - if (!cli_session_setup(c, username, - password, strlen(password), - password, strlen(password), - lp_workgroup())) { + if (!NT_STATUS_IS_OK(cli_session_setup(c, username, + password, strlen(password), + password, strlen(password), + lp_workgroup()))) { /* if a password was not supplied then try again with a null username */ if (password[0] || !username[0] || use_kerberos || - !cli_session_setup(c, "", "", 0, "", 0, lp_workgroup())) { + !NT_STATUS_IS_OK(cli_session_setup(c, "", "", 0, "", 0, + lp_workgroup()))) { d_printf("session setup failed: %s\n", cli_errstr(c)); if (NT_STATUS_V(cli_nt_error(c)) == NT_STATUS_V(NT_STATUS_MORE_PROCESSING_REQUIRED)) diff --git a/source3/libsmb/libsmbclient.c b/source3/libsmb/libsmbclient.c index c64c3dfb39..d9267e72bd 100644 --- a/source3/libsmb/libsmbclient.c +++ b/source3/libsmb/libsmbclient.c @@ -814,19 +814,19 @@ smbc_server(SMBCCTX *context, username_used = username; - if (!cli_session_setup(c, username_used, - password, strlen(password), - password, strlen(password), - workgroup)) { + if (!NT_STATUS_IS_OK(cli_session_setup(c, username_used, + password, strlen(password), + password, strlen(password), + workgroup))) { /* Failed. Try an anonymous login, if allowed by flags. */ username_used = ""; if ((context->flags & SMBCCTX_FLAG_NO_AUTO_ANONYMOUS_LOGON) || - !cli_session_setup(c, username_used, - password, 1, - password, 0, - workgroup)) { + !NT_STATUS_IS_OK(cli_session_setup(c, username_used, + password, 1, + password, 0, + workgroup))) { cli_shutdown(c); errno = EPERM; diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c index 0d3dcf4d75..e400819743 100644 --- a/source3/libsmb/passchange.c +++ b/source3/libsmb/passchange.c @@ -80,39 +80,38 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam /* Given things like SMB signing, restrict anonymous and the like, try an authenticated connection first */ - if (!cli_session_setup(cli, user_name, old_passwd, strlen(old_passwd)+1, old_passwd, strlen(old_passwd)+1, "")) { + result = cli_session_setup(cli, user_name, + old_passwd, strlen(old_passwd)+1, + old_passwd, strlen(old_passwd)+1, ""); - result = cli_nt_error(cli); - - if (!NT_STATUS_IS_OK(result)) { - - /* Password must change is the only valid error - * condition here from where we can proceed, the rest - * like account locked out or logon failure will lead - * to errors later anyway */ + if (!NT_STATUS_IS_OK(result)) { - if (!NT_STATUS_EQUAL(result, - NT_STATUS_PASSWORD_MUST_CHANGE)) { - slprintf(err_str, err_str_len-1, "Could not " - "connect to machine %s: %s\n", - remote_machine, cli_errstr(cli)); - cli_shutdown(cli); - return result; - } + /* Password must change is the only valid error condition here + * from where we can proceed, the rest like account locked out + * or logon failure will lead to errors later anyway */ - pass_must_change = True; + if (!NT_STATUS_EQUAL(result, + NT_STATUS_PASSWORD_MUST_CHANGE)) { + slprintf(err_str, err_str_len-1, "Could not " + "connect to machine %s: %s\n", + remote_machine, cli_errstr(cli)); + cli_shutdown(cli); + return result; } + pass_must_change = True; + /* * We should connect as the anonymous user here, in case * the server has "must change password" checked... * Thanks to <Nicholas.S.Jenkins@cdc.com> for this fix. */ - if (!cli_session_setup(cli, "", "", 0, "", 0, "")) { + result = cli_session_setup(cli, "", "", 0, "", 0, ""); + + if (!NT_STATUS_IS_OK(result)) { slprintf(err_str, err_str_len-1, "machine %s rejected the session setup. Error was : %s.\n", remote_machine, cli_errstr(cli) ); - result = cli_nt_error(cli); cli_shutdown(cli); return result; } |