From 1f829e19eb3b81ad1c4451fe9a90617e6cee7dd7 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 30 Oct 2001 13:54:54 +0000 Subject: Spnego on the 'server' end of security=server just does not work, so set the flags so we just do a 'normal' session setup. Also add some parinoia code to detect when sombody attempts to do a 'normal' session setup when spnego had been negoitiated. Andrew Bartlett (This used to be commit 190898586fa218c952fbd5bea56155d04e6f248b) --- source3/smbd/auth_server.c | 3 +++ source3/smbd/negprot.c | 5 ++++- source3/smbd/sesssetup.c | 8 +++++++- 3 files changed, 14 insertions(+), 2 deletions(-) (limited to 'source3/smbd') diff --git a/source3/smbd/auth_server.c b/source3/smbd/auth_server.c index 2574a52ef3..520417e3e0 100644 --- a/source3/smbd/auth_server.c +++ b/source3/smbd/auth_server.c @@ -51,6 +51,9 @@ struct cli_state *server_cryptkey(void) if (!cli_initialise(cli)) return NULL; + /* security = server just can't function with spnego */ + cli->use_spnego = False; + pserver = strdup(lp_passwordserver()); p = pserver; diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 16d315f1d8..e4285cb27c 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -25,7 +25,8 @@ extern int Protocol; extern int max_recv; extern fstring global_myworkgroup; extern fstring remote_machine; -BOOL global_encrypted_passwords_negotiated; +BOOL global_encrypted_passwords_negotiated = False; +BOOL global_spnego_negotiated = False; /**************************************************************************** reply for the core protocol @@ -170,6 +171,8 @@ static int negprot_spnego(char *p, uint8 cryptkey[8]) char *principal; int len; + global_spnego_negotiated = True; + memset(guid, 0, 16); safe_strcpy((char *)guid, global_myname, 16); strlower((char *)guid); diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 5412cc3bad..2d9f624b80 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -480,6 +480,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, BOOL guest=False; static BOOL done_sesssetup = False; extern BOOL global_encrypted_passwords_negotiated; + extern BOOL global_spnego_negotiated; extern uint32 global_client_caps; extern int Protocol; extern fstring remote_machine; @@ -492,11 +493,16 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, /* a SPNEGO session setup has 12 command words, whereas a normal NT1 session setup has 13. See the cifs spec. */ - if (CVAL(inbuf, smb_wct) == 12 && + if (CVAL(inbuf, smb_wct) == 12 && (SVAL(inbuf, smb_flg2) & FLAGS2_EXTENDED_SECURITY)) { return reply_sesssetup_and_X_spnego(conn, inbuf, outbuf, length, bufsize); } + if (global_spnego_negotiated) { + DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt at 'normal' session setup after negotiating spnego.\n")); + return ERROR_NT(NT_STATUS_UNSUCCESSFUL); + } + *smb_apasswd = *smb_ntpasswd = 0; smb_bufsize = SVAL(inbuf,smb_vwv2); -- cgit