diff options
Diffstat (limited to 'source4/smb_server')
-rw-r--r-- | source4/smb_server/negprot.c | 28 | ||||
-rw-r--r-- | source4/smb_server/sesssetup.c | 2 | ||||
-rw-r--r-- | source4/smb_server/smb_server.h | 4 |
3 files changed, 28 insertions, 6 deletions
diff --git a/source4/smb_server/negprot.c b/source4/smb_server/negprot.c index 31f31272e0..a9cc05e251 100644 --- a/source4/smb_server/negprot.c +++ b/source4/smb_server/negprot.c @@ -326,6 +326,7 @@ static void reply_nt1(struct smbsrv_request *req, uint16_t choice) req_push_str(req, NULL, lp_netbios_name(), -1, STR_UNICODE|STR_TERMINATE|STR_NOALIGN); DEBUG(3,("not using SPNEGO\n")); } else { + struct cli_credentials *server_credentials; struct gensec_security *gensec_security; DATA_BLOB null_data_blob = data_blob(NULL, 0); DATA_BLOB blob; @@ -333,19 +334,38 @@ static void reply_nt1(struct smbsrv_request *req, uint16_t choice) &gensec_security, req->smb_conn->connection->event.ctx); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("Failed to start GENSEC: %s\n", nt_errstr(nt_status))); + smbsrv_terminate_connection(req->smb_conn, "Failed to start GENSEC\n"); + return; + } + if (req->smb_conn->negotiate.auth_context) { smbsrv_terminate_connection(req->smb_conn, "reply_nt1: is this a secondary negprot? auth_context is non-NULL!\n"); return; } - req->smb_conn->negotiate.auth_context = NULL; + server_credentials + = cli_credentials_init(req); + if (!server_credentials) { + smbsrv_terminate_connection(req->smb_conn, "Failed to init server credentials\n"); + return; + } + cli_credentials_set_conf(server_credentials); + nt_status = cli_credentials_set_machine_account(server_credentials); if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0, ("Failed to start GENSEC: %s\n", nt_errstr(nt_status))); - smbsrv_terminate_connection(req->smb_conn, "Failed to start GENSEC\n"); - return; + DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(nt_status))); + talloc_free(server_credentials); + server_credentials = NULL; } + req->smb_conn->negotiate.server_credentials = talloc_steal(req->smb_conn, server_credentials); + + gensec_set_target_service(gensec_security, "cifs"); + + gensec_set_credentials(gensec_security, server_credentials); + nt_status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source4/smb_server/sesssetup.c b/source4/smb_server/sesssetup.c index 1fa04b99e5..bdd4a3fab2 100644 --- a/source4/smb_server/sesssetup.c +++ b/source4/smb_server/sesssetup.c @@ -293,6 +293,8 @@ static NTSTATUS sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup return status; } + gensec_set_credentials(gensec_ctx, req->smb_conn->negotiate.server_credentials); + gensec_set_target_service(gensec_ctx, "cifs"); gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY); diff --git a/source4/smb_server/smb_server.h b/source4/smb_server/smb_server.h index 01fb1e26a3..360ea7ddfb 100644 --- a/source4/smb_server/smb_server.h +++ b/source4/smb_server/smb_server.h @@ -194,8 +194,8 @@ struct smbsrv_connection { /* authentication context for multi-part negprot */ struct auth_context *auth_context; - /* state of NTLMSSP auth */ - struct auth_ntlmssp_state *ntlmssp_state; + /* reference to the kerberos keytab, or machine trust account */ + struct cli_credentials *server_credentials; /* did we tell the client we support encrypted passwords? */ BOOL encrypted_passwords; |