svn commit: samba r15503 - in branches/SAMBA_4_0/source/librpc/rpc: .

Sun May 7 19:36:06 GMT 2006

Author: abartlet
Date: 2006-05-07 19:36:06 +0000 (Sun, 07 May 2006)
New Revision: 15503

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=15503

Log:
I may shortly have to revert all of this, but be clearer about how we
handle the NTLMSSP and wrong password fallbacks.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/librpc/rpc/dcerpc_util.c


Changeset:
Modified: branches/SAMBA_4_0/source/librpc/rpc/dcerpc_util.c
===================================================================

--- branches/SAMBA_4_0/source/librpc/rpc/dcerpc_util.c	2006-05-07 19:26:48 UTC (rev 15502)
+++ branches/SAMBA_4_0/source/librpc/rpc/dcerpc_util.c	2006-05-07 19:36:06 UTC (rev 15503)
@@ -976,7 +976,7 @@
 	struct dcerpc_binding *binding;
 	const struct dcerpc_interface_table *table;
 	struct cli_credentials *credentials;
-	uint8_t next_auth_type;
+	uint8_t auth_type;
 	BOOL try_ntlm_fallback;
 };
 
@@ -1011,10 +1011,12 @@
 	struct pipe_auth_state *s = talloc_get_type(c->private_data, struct pipe_auth_state);
 
 	status = dcerpc_bind_auth_recv(ctx);
-	if (s->try_ntlm_fallback && NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
+	if (s->auth_type == DCERPC_AUTH_TYPE_SPNEGO
+	    && s->try_ntlm_fallback
+	    && NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
 		struct composite_context *sec_conn_req;
 		s->try_ntlm_fallback = False;
-		s->next_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
+		s->auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
 		/* send a request for secondary rpc connection */
 		sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
 								s->binding);
@@ -1023,10 +1025,9 @@
 		composite_continue(c, sec_conn_req, continue_new_auth_bind, c);
 		
 		return;
-	} else if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+	} else if (s->auth_type == DCERPC_AUTH_TYPE_SPNEGO && NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
 		struct composite_context *sec_conn_req;
 		if (cli_credentials_wrong_password(s->credentials)) {
-			s->next_auth_type = DCERPC_AUTH_TYPE_SPNEGO;
 			/* send a request for secondary rpc connection */
 			sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
 									s->binding);
@@ -1070,7 +1071,7 @@
 
 	/* initiate a authenticated bind */
 	auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
-					 s->credentials, s->next_auth_type,
+					 s->credentials, s->auth_type,
 					 dcerpc_auth_level(s->pipe->conn),
 					 s->table->authservices->names[0]);
 	if (composite_nomem(auth_req, c)) return;
@@ -1157,8 +1158,6 @@
 		 * connection is not signed or sealed.  For that case
 		 * we rely on the already authenticated CIFS connection
 		 */
-		
-		uint8_t auth_type;
 
 		if ((conn->flags & (DCERPC_SIGN|DCERPC_SEAL)) == 0) {
 			/*
@@ -1172,23 +1171,23 @@
 		}
 
 		if (s->binding->flags & DCERPC_AUTH_SPNEGO) {
-			auth_type = DCERPC_AUTH_TYPE_SPNEGO;
+			s->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
 
 		} else if (s->binding->flags & DCERPC_AUTH_KRB5) {
-			auth_type = DCERPC_AUTH_TYPE_KRB5;
+			s->auth_type = DCERPC_AUTH_TYPE_KRB5;
 
 		} else if (s->binding->flags & DCERPC_SCHANNEL) {
-			auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
+			s->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
 
 		} else if (s->binding->flags & DCERPC_AUTH_NTLM) {
-			auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
+			s->auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
 		} else {
-			auth_type = DCERPC_AUTH_TYPE_SPNEGO;
+			s->auth_type = DCERPC_AUTH_TYPE_SPNEGO;
 			s->try_ntlm_fallback = True;
 		}
 
 		auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
-						 s->credentials, DCERPC_AUTH_TYPE_SPNEGO,
+						 s->credentials, s->auth_type,
 						 dcerpc_auth_level(conn),
 						 s->table->authservices->names[0]);
 		if (composite_nomem(auth_req, c)) return c;

