diff options
| author | Simo Sorce <simo@redhat.com> | 2014-08-10 16:44:58 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2014-08-10 17:00:53 -0400 |
| commit | 29c539c25ae8071e0b401916ce8cd333c6ec2cd3 (patch) | |
| tree | c3292472d1741f08a002e04ca9c71899adb6e5bd | |
| parent | 669a5782ff62b012f4220dc5859ea8595d17532d (diff) | |
| download | gss-ntlmssp-29c539c25ae8071e0b401916ce8cd333c6ec2cd3.tar.gz gss-ntlmssp-29c539c25ae8071e0b401916ce8cd333c6ec2cd3.tar.xz gss-ntlmssp-29c539c25ae8071e0b401916ce8cd333c6ec2cd3.zip | |
Always send NetBIOS Domain Name
Apparently Windows (2012 at least) refuses to authenticate if the
target_info field in the challenge message lacks the NetBIOS Domain
name.
So Always set the fake the nb_domain_name if not available, but do
not mark the server as a domain member in that case.
| -rw-r--r-- | src/gss_names.c | 8 | ||||
| -rw-r--r-- | src/gss_ntlmssp.c | 15 | ||||
| -rw-r--r-- | src/gss_ntlmssp.h | 2 | ||||
| -rw-r--r-- | src/gss_sec_ctx.c | 2 |
4 files changed, 25 insertions, 2 deletions
diff --git a/src/gss_names.c b/src/gss_names.c index 09618a4..e76a3e8 100644 --- a/src/gss_names.c +++ b/src/gss_names.c @@ -607,6 +607,14 @@ uint32_t netbios_get_names(char *computer_name, } } + if (!nb_domain_name) { + nb_domain_name = strdup(DEF_NB_DOMAIN); + if (!nb_domain_name) { + ret = ENOMEM; + goto done; + } + } + ret = 0; done: diff --git a/src/gss_ntlmssp.c b/src/gss_ntlmssp.c index 666508b..50893c5 100644 --- a/src/gss_ntlmssp.c +++ b/src/gss_ntlmssp.c @@ -69,7 +69,8 @@ void gssntlm_set_role(struct gssntlm_ctx *ctx, { if (desired == GSSNTLM_CLIENT) { ctx->role = GSSNTLM_CLIENT; - } else if (nb_domain_name && *nb_domain_name) { + } else if (nb_domain_name && *nb_domain_name && + strcmp(nb_domain_name, DEF_NB_DOMAIN) != 0) { ctx->role = GSSNTLM_DOMAIN_SERVER; } else { ctx->role = GSSNTLM_SERVER; @@ -94,6 +95,18 @@ bool gssntlm_role_is_server(struct gssntlm_ctx *ctx) return false; } +bool gssntlm_role_is_domain_member(struct gssntlm_ctx *ctx) +{ + switch (ctx->role) { + case GSSNTLM_DOMAIN_SERVER: + case GSSNTLM_DOMAIN_CONTROLLER: + return true; + default: + break; + } + return false; +} + bool gssntlm_sec_lm_ok(struct gssntlm_ctx *ctx) { switch (ctx->role) { diff --git a/src/gss_ntlmssp.h b/src/gss_ntlmssp.h index ee38c6f..ae86a0c 100644 --- a/src/gss_ntlmssp.h +++ b/src/gss_ntlmssp.h @@ -23,6 +23,7 @@ #include "gssapi_ntlmssp.h" #include "debug.h" +#define DEF_NB_DOMAIN "WORKSTATION" #define MAX_CHALRESP_LIFETIME 36 * 60 * 60 /* 36 hours in seconds */ #define SEC_LEVEL_MIN 0 @@ -177,6 +178,7 @@ void gssntlm_set_role(struct gssntlm_ctx *ctx, int desired, char *nb_domain_name); bool gssntlm_role_is_client(struct gssntlm_ctx *ctx); bool gssntlm_role_is_server(struct gssntlm_ctx *ctx); +bool gssntlm_role_is_domain_member(struct gssntlm_ctx *ctx); bool gssntlm_sec_lm_ok(struct gssntlm_ctx *ctx); bool gssntlm_sec_ntlm_ok(struct gssntlm_ctx *ctx); diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c index 5995a43..7192b48 100644 --- a/src/gss_sec_ctx.c +++ b/src/gss_sec_ctx.c @@ -752,7 +752,7 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status, goto done; } - if (nb_domain_name) { + if (gssntlm_role_is_domain_member(ctx)) { chal_target_name = nb_domain_name; ctx->neg_flags |= NTLMSSP_TARGET_TYPE_DOMAIN; } else { |