From efb29227fa46e2c9420b3158ef7422aea4f5846e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 21 May 2010 12:08:18 -0700 Subject: Make krb5 over SMB2 identical to the way we handle it in SMB1. Jeremy. --- source3/smbd/smb2_sesssetup.c | 52 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 50 insertions(+), 2 deletions(-) (limited to 'source3') diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index ed5818951d..92e77a5ff2 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -516,7 +516,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session, struct smbd_smb2_request *smb2req, - uint8_t in_security_flags, + uint8_t in_security_mode, DATA_BLOB in_security_buffer, uint16_t *out_session_flags, DATA_BLOB *out_security_buffer, @@ -542,7 +542,7 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session, USE_KERBEROS_KEYTAB) ) { status = smbd_smb2_session_setup_krb5(session, smb2req, - in_security_flags, + in_security_mode, &secblob_in, kerb_mech, out_session_flags, @@ -706,6 +706,54 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session, return NT_STATUS_LOGON_FAILURE; } + if (auth.data[0] == ASN1_APPLICATION(0)) { + /* Might be a second negTokenTarg packet */ + DATA_BLOB secblob_in = data_blob_null; + char *kerb_mech = NULL; + + status = parse_spnego_mechanisms(in_security_buffer, + &secblob_in, &kerb_mech); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(session); + return status; + } + +#ifdef HAVE_KRB5 + if (kerb_mech && ((lp_security()==SEC_ADS) || + USE_KERBEROS_KEYTAB) ) { + status = smbd_smb2_session_setup_krb5(session, + smb2req, + in_security_mode, + &secblob_in, + kerb_mech, + out_session_flags, + out_security_buffer, + out_session_id); + + data_blob_free(&secblob_in); + SAFE_FREE(kerb_mech); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(session); + } + return status; + } +#endif + + /* Can't blunder into NTLMSSP auth if we have + * a krb5 ticket. */ + + if (kerb_mech) { + DEBUG(3,("smb2: network " + "misconfiguration, client sent us a " + "krb5 ticket and kerberos security " + "not enabled\n")); + TALLOC_FREE(session); + data_blob_free(&secblob_in); + SAFE_FREE(kerb_mech); + return NT_STATUS_LOGON_FAILURE; + } + } + status = auth_ntlmssp_update(session->auth_ntlmssp_state, auth, &auth_out); -- cgit