From e9c7016699c61b4d21341b639bbe4291dcd21872 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 7 May 2006 19:36:06 +0000 Subject: r15503: I may shortly have to revert all of this, but be clearer about how we handle the NTLMSSP and wrong password fallbacks. Andrew Bartlett (This used to be commit dbf51ea985e0b300631e2070e91d4d901c784c44) --- source4/librpc/rpc/dcerpc_util.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) (limited to 'source4') diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index 158c5e3fe0..5b341b9359 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -976,7 +976,7 @@ struct pipe_auth_state { struct dcerpc_binding *binding; const struct dcerpc_interface_table *table; struct cli_credentials *credentials; - uint8_t next_auth_type; + uint8_t auth_type; BOOL try_ntlm_fallback; }; @@ -1011,10 +1011,12 @@ static void continue_recv_bind(struct composite_context *ctx) struct pipe_auth_state *s = talloc_get_type(c->private_data, struct pipe_auth_state); status = dcerpc_bind_auth_recv(ctx); - if (s->try_ntlm_fallback && NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { + if (s->auth_type == DCERPC_AUTH_TYPE_SPNEGO + && s->try_ntlm_fallback + && NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) { struct composite_context *sec_conn_req; s->try_ntlm_fallback = False; - s->next_auth_type = DCERPC_AUTH_TYPE_NTLMSSP; + s->auth_type = DCERPC_AUTH_TYPE_NTLMSSP; /* send a request for secondary rpc connection */ sec_conn_req = dcerpc_secondary_connection_send(s->pipe, s->binding); @@ -1023,10 +1025,9 @@ static void continue_recv_bind(struct composite_context *ctx) composite_continue(c, sec_conn_req, continue_new_auth_bind, c); return; - } else if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { + } else if (s->auth_type == DCERPC_AUTH_TYPE_SPNEGO && NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { struct composite_context *sec_conn_req; if (cli_credentials_wrong_password(s->credentials)) { - s->next_auth_type = DCERPC_AUTH_TYPE_SPNEGO; /* send a request for secondary rpc connection */ sec_conn_req = dcerpc_secondary_connection_send(s->pipe, s->binding); @@ -1070,7 +1071,7 @@ static void continue_new_auth_bind(struct composite_context *ctx) /* initiate a authenticated bind */ auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, - s->credentials, s->next_auth_type, + s->credentials, s->auth_type, dcerpc_auth_level(s->pipe->conn), s->table->authservices->names[0]); if (composite_nomem(auth_req, c)) return; @@ -1157,8 +1158,6 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p, * connection is not signed or sealed. For that case * we rely on the already authenticated CIFS connection */ - - uint8_t auth_type; if ((conn->flags & (DCERPC_SIGN|DCERPC_SEAL)) == 0) { /* @@ -1172,23 +1171,23 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p, } if (s->binding->flags & DCERPC_AUTH_SPNEGO) { - auth_type = DCERPC_AUTH_TYPE_SPNEGO; + s->auth_type = DCERPC_AUTH_TYPE_SPNEGO; } else if (s->binding->flags & DCERPC_AUTH_KRB5) { - auth_type = DCERPC_AUTH_TYPE_KRB5; + s->auth_type = DCERPC_AUTH_TYPE_KRB5; } else if (s->binding->flags & DCERPC_SCHANNEL) { - auth_type = DCERPC_AUTH_TYPE_SCHANNEL; + s->auth_type = DCERPC_AUTH_TYPE_SCHANNEL; } else if (s->binding->flags & DCERPC_AUTH_NTLM) { - auth_type = DCERPC_AUTH_TYPE_NTLMSSP; + s->auth_type = DCERPC_AUTH_TYPE_NTLMSSP; } else { - auth_type = DCERPC_AUTH_TYPE_SPNEGO; + s->auth_type = DCERPC_AUTH_TYPE_SPNEGO; s->try_ntlm_fallback = True; } auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, - s->credentials, DCERPC_AUTH_TYPE_SPNEGO, + s->credentials, s->auth_type, dcerpc_auth_level(conn), s->table->authservices->names[0]); if (composite_nomem(auth_req, c)) return c; -- cgit