diff options
Diffstat (limited to 'source3/libsmb')
| -rw-r--r-- | source3/libsmb/cliconnect.c | 38 | ||||
| -rw-r--r-- | source3/libsmb/clispnego.c | 19 | ||||
| -rw-r--r-- | source3/libsmb/namequery.c | 29 | ||||
| -rw-r--r-- | source3/libsmb/trusts_util.c | 2 |
4 files changed, 77 insertions, 11 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 820a904ea4..a4bbf9a6ec 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -822,20 +822,36 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, free(OIDs[i]); } - DEBUG(3,("got principal=%s\n", principal ? principal : "<null>")); if (got_kerberos_mechanism && (principal == NULL)) { + fstring dns_name; + fstring nb_name; + /* - * It is WRONG to depend on the principal sent in the negprot - * reply, but right now we do it. So for safety (don't - * segfault later) disable Kerberos when no principal was - * sent. -- VL - */ - DEBUG(1, ("Kerberos mech was offered, but no principal was " - "sent, disabling Kerberos\n")); - cli->use_kerberos = False; + * We didn't get a valid principal in the negTokenInit. Fake + * it, or fall back on NTLM. We prefer to fake it, and hit the + * translate_name cache to get a REAL realm name. + */ + if (!(cli->desthost && translate_name(domain, dns_name, + nb_name) && + asprintf(&principal, "host/%s@%s", cli->desthost, + dns_name))) { + + /* + * It is WRONG to depend on the principal sent in the + * negprot reply, but right now we do it. So for safety + * (don't segfault later) disable Kerberos when no + * principal was sent. -- VL + */ + DEBUG(1, ("Kerberos mech was offered, but no principal was " + "sent, disabling Kerberos\n")); + cli->use_kerberos = False; + } + } + DEBUG(3,("got principal=%s\n", principal ? principal : "<null>")); + fstrcpy(cli->user_name, user); #ifdef HAVE_KRB5 @@ -872,7 +888,9 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, ntlmssp: - return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain)); + /* NTLM is sensitive to adding a domain with a UPN */ + return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, + (strchr(user, '@') ? NULL : domain))); } /**************************************************************************** diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c index 9432ce81d3..c45883d890 100644 --- a/source3/libsmb/clispnego.c +++ b/source3/libsmb/clispnego.c @@ -52,7 +52,18 @@ DATA_BLOB spnego_gen_negTokenInit(char guid[16], asn1_push_tag(&data, ASN1_CONTEXT(3)); asn1_push_tag(&data, ASN1_SEQUENCE(0)); asn1_push_tag(&data, ASN1_CONTEXT(0)); + + /* + * @todo + * Windows 2008 sends a bogus principal, since this + * is not truly supported in the SPNEGO protocol. + * + * We should do the same, but I'm worried this will break things, + * such as DFS. + * todd.stecher@isilon.com + */ asn1_write_GeneralString(&data,principal); + asn1_pop_tag(&data); asn1_pop_tag(&data); asn1_pop_tag(&data); @@ -154,6 +165,14 @@ BOOL spnego_parse_negTokenInit(DATA_BLOB blob, asn1_start_tag(&data, ASN1_SEQUENCE(0)); asn1_start_tag(&data, ASN1_CONTEXT(0)); asn1_read_GeneralString(&data,principal); + /* + * Windows 2008 sends a bogus principal, since this + * is not truly supported in the SPNEGO protocol. + * todd.stecher@isilon.com + */ + if (strcmp(ADS_IGNORE_PRINCIPAL, *principal) == 0) + SAFE_FREE(*principal); + asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c index 49e3375f50..4a7ae0c2e5 100644 --- a/source3/libsmb/namequery.c +++ b/source3/libsmb/namequery.c @@ -1714,3 +1714,32 @@ NTSTATUS get_kdc_list( const char *realm, const char *sitename, struct ip_servic return NT_STATUS_OK; } + + +BOOL translate_name(const char *realm, fstring dns_domain_name, + fstring nb_domain_name) +{ + struct winbindd_request request; + struct winbindd_response response; + NSS_STATUS wb_result; + + /* Call winbindd */ + + ZERO_STRUCT(request); + ZERO_STRUCT(response); + + fstrcpy(request.domain_name, realm); + wb_result = winbindd_request_response(WINBINDD_DOMAIN_INFO, + &request, &response); + + if (wb_result != NSS_STATUS_SUCCESS) { + DEBUG(0, ("Failed to translate %s\n", realm)); + return False; + } + + fstrcpy(dns_domain_name, response.data.domain_info.alt_name); + fstrcpy(nb_domain_name, response.data.domain_info.name); + + return True; + +} diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 0922f9f41e..4a231dcd15 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -40,7 +40,7 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX already have valid creds. If not we must set them up. */ if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { - uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; result = rpccli_netlogon_setup_creds(cli, cli->cli->desthost, /* server name */ |