From 6e07f8f88d249522bee514f47d0de7feca361619 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 18 Apr 2006 18:00:57 +0000 Subject: r15129: Separate out mechanism and policy for NTLMSSP auth/sign/seal. With this change (and setting lanman auth = no in smb.conf) we have *identical* NTLMSSP flags to W2K3 in SPNEGO auth. Jeremy --- source/rpc_client/cli_pipe.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'source/rpc_client') diff --git a/source/rpc_client/cli_pipe.c b/source/rpc_client/cli_pipe.c index 37b1b2a671b..11eb21df446 100644 --- a/source/rpc_client/cli_pipe.c +++ b/source/rpc_client/cli_pipe.c @@ -2141,6 +2141,24 @@ static NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli, return NT_STATUS_INVALID_INFO_CLASS; } + /* For NTLMSSP ensure the server gave us the auth_level we wanted. */ + if (auth_type == PIPE_AUTH_TYPE_NTLMSSP || auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) { + if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) { + if (!(cli->auth.a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) { + DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP signing and server refused.\n")); + prs_mem_free(&rbuf); + return NT_STATUS_INVALID_PARAMETER; + } + } + if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) { + if (!(cli->auth.a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) { + DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP sealing and server refused.\n")); + prs_mem_free(&rbuf); + return NT_STATUS_INVALID_PARAMETER; + } + } + } + /* Pipe is bound - set up auth_type and auth_level data. */ cli->auth.auth_type = auth_type; -- cgit