[SCM] Samba Shared Repository - branch master updated

Fri May 21 13:09:02 MDT 2010

The branch, master has been updated
       via  efb2922... Make krb5 over SMB2 identical to the way we handle it in SMB1.
      from  f576cc5... Doh! If you're going to give advice in "useage", make sure it's correct.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit efb29227fa46e2c9420b3158ef7422aea4f5846e
Author: Jeremy Allison <jra at samba.org>
Date:   Fri May 21 12:08:18 2010 -0700

    Make krb5 over SMB2 identical to the way we handle it in SMB1.
    
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source3/smbd/smb2_sesssetup.c |   52 +++++++++++++++++++++++++++++++++++++++-
 1 files changed, 50 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index ed58189..92e77a5 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -516,7 +516,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 
 static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
 					struct smbd_smb2_request *smb2req,
-					uint8_t in_security_flags,
+					uint8_t in_security_mode,
 					DATA_BLOB in_security_buffer,
 					uint16_t *out_session_flags,
 					DATA_BLOB *out_security_buffer,
@@ -542,7 +542,7 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
 				USE_KERBEROS_KEYTAB) ) {
 		status = smbd_smb2_session_setup_krb5(session,
 				smb2req,
-				in_security_flags,
+				in_security_mode,
 				&secblob_in,
 				kerb_mech,
 				out_session_flags,
@@ -706,6 +706,54 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
+	if (auth.data[0] == ASN1_APPLICATION(0)) {
+		/* Might be a second negTokenTarg packet */
+		DATA_BLOB secblob_in = data_blob_null;
+		char *kerb_mech = NULL;
+
+		status = parse_spnego_mechanisms(in_security_buffer,
+				&secblob_in, &kerb_mech);
+		if (!NT_STATUS_IS_OK(status)) {
+			TALLOC_FREE(session);
+			return status;
+		}
+
+#ifdef HAVE_KRB5
+		if (kerb_mech && ((lp_security()==SEC_ADS) ||
+					USE_KERBEROS_KEYTAB) ) {
+			status = smbd_smb2_session_setup_krb5(session,
+					smb2req,
+					in_security_mode,
+					&secblob_in,
+					kerb_mech,
+					out_session_flags,
+					out_security_buffer,
+					out_session_id);
+
+			data_blob_free(&secblob_in);
+			SAFE_FREE(kerb_mech);
+			if (!NT_STATUS_IS_OK(status)) {
+				TALLOC_FREE(session);
+			}
+			return status;
+		}
+#endif
+
+		/* Can't blunder into NTLMSSP auth if we have
+		 * a krb5 ticket. */
+
+		if (kerb_mech) {
+			DEBUG(3,("smb2: network "
+				"misconfiguration, client sent us a "
+				"krb5 ticket and kerberos security "
+				"not enabled\n"));
+			TALLOC_FREE(session);
+			data_blob_free(&secblob_in);
+			SAFE_FREE(kerb_mech);
+			return NT_STATUS_LOGON_FAILURE;
+		}
+	}
+
 	status = auth_ntlmssp_update(session->auth_ntlmssp_state,
 				     auth,
 				     &auth_out);


-- 
Samba Shared Repository
