svn commit: samba r13403 - in branches/SAMBA_4_0/source/smb_server: . smb

abartlet at samba.org abartlet at samba.org
Thu Feb 9 03:04:49 GMT 2006 

Author: abartlet
Date: 2006-02-09 03:04:48 +0000 (Thu, 09 Feb 2006)
New Revision: 13403

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13403

Log:
Try to better handle a case where SPNEGO isn't available (allow us to
emulate the behaviour of XP standalone if required).

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/smb_server/smb/negprot.c
   branches/SAMBA_4_0/source/smb_server/smb/sesssetup.c
   branches/SAMBA_4_0/source/smb_server/smb_server.h


Changeset:
Modified: branches/SAMBA_4_0/source/smb_server/smb/negprot.c
===================================================================
--- branches/SAMBA_4_0/source/smb_server/smb/negprot.c	2006-02-09 02:30:43 UTC (rev 13402)
+++ branches/SAMBA_4_0/source/smb_server/smb/negprot.c	2006-02-09 03:04:48 UTC (rev 13403)
@@ -218,6 +218,22 @@
 	req_send_reply(req);
 }
 
+static void reply_nt1_orig(struct smbsrv_request *req)
+{
+	/* Create a token value and add it to the outgoing packet. */
+	if (req->smb_conn->negotiate.encrypted_passwords) {
+		req_grow_data(req, 8);
+		/* note that we do not send a challenge at all if
+		   we are using plaintext */
+		get_challenge(req->smb_conn, req->out.ptr);
+		req->out.ptr += 8;
+		SCVAL(req->out.vwv+1, VWV(16), 8);
+	}
+	req_push_str(req, NULL, lp_workgroup(), -1, STR_UNICODE|STR_TERMINATE|STR_NOALIGN);
+	req_push_str(req, NULL, lp_netbios_name(), -1, STR_UNICODE|STR_TERMINATE|STR_NOALIGN);
+	DEBUG(3,("not using SPNEGO\n"));
+}
+
 /****************************************************************************
  Reply for the nt protocol.
 ****************************************************************************/
@@ -313,23 +329,13 @@
 	SSVALS(req->out.vwv+1,VWV(15), req->smb_conn->negotiate.zone_offset/60);
 	
 	if (!negotiate_spnego) {
-		/* Create a token value and add it to the outgoing packet. */
-		if (req->smb_conn->negotiate.encrypted_passwords) {
-			req_grow_data(req, 8);
-			/* note that we do not send a challenge at all if
-			   we are using plaintext */
-			get_challenge(req->smb_conn, req->out.ptr);
-			req->out.ptr += 8;
-			SCVAL(req->out.vwv+1, VWV(16), 8);
-		}
-		req_push_str(req, NULL, lp_workgroup(), -1, STR_UNICODE|STR_TERMINATE|STR_NOALIGN);
-		req_push_str(req, NULL, lp_netbios_name(), -1, STR_UNICODE|STR_TERMINATE|STR_NOALIGN);
-		DEBUG(3,("not using SPNEGO\n"));
+		reply_nt1_orig(req);
 	} else {
 		struct cli_credentials *server_credentials;
 		struct gensec_security *gensec_security;
 		DATA_BLOB null_data_blob = data_blob(NULL, 0);
 		DATA_BLOB blob;
+		const char *oid;
 		NTSTATUS nt_status = gensec_server_start(req->smb_conn, 
 							 &gensec_security,
 							 req->smb_conn->connection->event.ctx);
@@ -366,31 +372,33 @@
 
 		gensec_set_credentials(gensec_security, server_credentials);
 
-		nt_status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
+		oid = GENSEC_OID_SPNEGO;
+		nt_status = gensec_start_mech_by_oid(gensec_security, oid);
 		
 		if (NT_STATUS_IS_OK(nt_status)) {
 			/* Get and push the proposed OID list into the packets */
 			nt_status = gensec_update(gensec_security, req, null_data_blob, &blob);
 
 			if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-				DEBUG(0, ("Failed to get SPNEGO to give us the first token: %s\n", nt_errstr(nt_status)));
-				smbsrv_terminate_connection(req->smb_conn, "Failed to start SPNEGO - no first token\n");
-				return;
+				DEBUG(1, ("Failed to get SPNEGO to give us the first token: %s\n", nt_errstr(nt_status)));
 			}
-		} else {
+		}
+
+		if (!NT_STATUS_IS_OK(nt_status) && !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 			DEBUG(5, ("Failed to start SPNEGO, falling back to NTLMSSP only: %s\n", nt_errstr(nt_status)));
-			nt_status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_NTLMSSP);
+			oid = GENSEC_OID_NTLMSSP;
+			nt_status = gensec_start_mech_by_oid(gensec_security, oid);
 			
 			if (!NT_STATUS_IS_OK(nt_status)) {
 				DEBUG(0, ("Failed to start SPNEGO as well as NTLMSSP fallback: %s\n", nt_errstr(nt_status)));
-				smbsrv_terminate_connection(req->smb_conn, "Failed to start SPNEGO and NTLMSSP");
+				reply_nt1_orig(req);
 				return;
 			}
 			/* NTLMSSP is a client-first exchange */
 			blob = data_blob(NULL, 0);
 		}
 
-		req->smb_conn->negotiate.spnego_negotiated = True;
+		req->smb_conn->negotiate.oid = oid;
 	
 		req_grow_data(req, blob.length + 16);
 		/* a NOT very random guid, perhaps we should get it

Modified: branches/SAMBA_4_0/source/smb_server/smb/sesssetup.c
===================================================================
--- branches/SAMBA_4_0/source/smb_server/smb/sesssetup.c	2006-02-09 02:30:43 UTC (rev 13402)
+++ branches/SAMBA_4_0/source/smb_server/smb/sesssetup.c	2006-02-09 03:04:48 UTC (rev 13403)
@@ -149,7 +149,7 @@
 		req->smb_conn->negotiate.client_caps = sess->nt1.in.capabilities;
 	}
 
-	if (req->smb_conn->negotiate.spnego_negotiated) {
+	if (req->smb_conn->negotiate.oid) {
 		if (sess->nt1.in.user && *sess->nt1.in.user) {
 			/* We can't accept a normal login, because we
 			 * don't have a challenge */
@@ -294,9 +294,10 @@
 
 		gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
 
-		status = gensec_start_mech_by_oid(gensec_ctx, GENSEC_OID_SPNEGO);
+		status = gensec_start_mech_by_oid(gensec_ctx, req->smb_conn->negotiate.oid);
 		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(1, ("Failed to start GENSEC SPNEGO server code: %s\n", nt_errstr(status)));
+			DEBUG(1, ("Failed to start GENSEC %s server code: %s\n", 
+				  gensec_get_name_by_oid(req->smb_conn->negotiate.oid), nt_errstr(status)));
 			return status;
 		}
 

Modified: branches/SAMBA_4_0/source/smb_server/smb_server.h
===================================================================
--- branches/SAMBA_4_0/source/smb_server/smb_server.h	2006-02-09 02:30:43 UTC (rev 13402)
+++ branches/SAMBA_4_0/source/smb_server/smb_server.h	2006-02-09 03:04:48 UTC (rev 13403)
@@ -251,8 +251,8 @@
 		/* did we tell the client we support encrypted passwords? */
 		BOOL encrypted_passwords;
 	
-		/* did we send an extended security negprot reply? */
-		BOOL spnego_negotiated;
+		/* Did we choose SPNEGO, or perhaps raw NTLMSSP, or even no extended security at all? */
+		const char *oid;
 	
 		/* client capabilities */
 		uint32_t client_caps;

More information about the samba-cvs mailing list