diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2001-10-30 13:54:54 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2001-10-30 13:54:54 +0000 |
| commit | 190898586fa218c952fbd5bea56155d04e6f248b (patch) | |
| tree | fb6efe76c208c7b61b3364e4594c82411a9498fb | |
| parent | c78fec86c97075bb5726fcb7ed197bc75dd88ac0 (diff) | |
| download | samba-190898586fa218c952fbd5bea56155d04e6f248b.tar.gz samba-190898586fa218c952fbd5bea56155d04e6f248b.tar.xz samba-190898586fa218c952fbd5bea56155d04e6f248b.zip | |
Spnego on the 'server' end of security=server just does not work, so set the
flags so we just do a 'normal' session setup.
Also add some parinoia code to detect when sombody attempts to do a 'normal'
session setup when spnego had been negoitiated.
Andrew Bartlett
| -rw-r--r-- | source/auth/auth_server.c | 3 | ||||
| -rw-r--r-- | source/smbd/auth_server.c | 3 | ||||
| -rw-r--r-- | source/smbd/negprot.c | 5 | ||||
| -rw-r--r-- | source/smbd/sesssetup.c | 8 |
4 files changed, 17 insertions, 2 deletions
diff --git a/source/auth/auth_server.c b/source/auth/auth_server.c index 2574a52ef3d..520417e3e09 100644 --- a/source/auth/auth_server.c +++ b/source/auth/auth_server.c @@ -51,6 +51,9 @@ struct cli_state *server_cryptkey(void) if (!cli_initialise(cli)) return NULL; + /* security = server just can't function with spnego */ + cli->use_spnego = False; + pserver = strdup(lp_passwordserver()); p = pserver; diff --git a/source/smbd/auth_server.c b/source/smbd/auth_server.c index 2574a52ef3d..520417e3e09 100644 --- a/source/smbd/auth_server.c +++ b/source/smbd/auth_server.c @@ -51,6 +51,9 @@ struct cli_state *server_cryptkey(void) if (!cli_initialise(cli)) return NULL; + /* security = server just can't function with spnego */ + cli->use_spnego = False; + pserver = strdup(lp_passwordserver()); p = pserver; diff --git a/source/smbd/negprot.c b/source/smbd/negprot.c index 16d315f1d89..e4285cb27cd 100644 --- a/source/smbd/negprot.c +++ b/source/smbd/negprot.c @@ -25,7 +25,8 @@ extern int Protocol; extern int max_recv; extern fstring global_myworkgroup; extern fstring remote_machine; -BOOL global_encrypted_passwords_negotiated; +BOOL global_encrypted_passwords_negotiated = False; +BOOL global_spnego_negotiated = False; /**************************************************************************** reply for the core protocol @@ -170,6 +171,8 @@ static int negprot_spnego(char *p, uint8 cryptkey[8]) char *principal; int len; + global_spnego_negotiated = True; + memset(guid, 0, 16); safe_strcpy((char *)guid, global_myname, 16); strlower((char *)guid); diff --git a/source/smbd/sesssetup.c b/source/smbd/sesssetup.c index 5412cc3bada..2d9f624b800 100644 --- a/source/smbd/sesssetup.c +++ b/source/smbd/sesssetup.c @@ -480,6 +480,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, BOOL guest=False; static BOOL done_sesssetup = False; extern BOOL global_encrypted_passwords_negotiated; + extern BOOL global_spnego_negotiated; extern uint32 global_client_caps; extern int Protocol; extern fstring remote_machine; @@ -492,11 +493,16 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, /* a SPNEGO session setup has 12 command words, whereas a normal NT1 session setup has 13. See the cifs spec. */ - if (CVAL(inbuf, smb_wct) == 12 && + if (CVAL(inbuf, smb_wct) == 12 && (SVAL(inbuf, smb_flg2) & FLAGS2_EXTENDED_SECURITY)) { return reply_sesssetup_and_X_spnego(conn, inbuf, outbuf, length, bufsize); } + if (global_spnego_negotiated) { + DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt at 'normal' session setup after negotiating spnego.\n")); + return ERROR_NT(NT_STATUS_UNSUCCESSFUL); + } + *smb_apasswd = *smb_ntpasswd = 0; smb_bufsize = SVAL(inbuf,smb_vwv2); |