2024-12-25 23:21:54 +03:00 · 0001-01-01 00:00:00 +00:00 · 0001-01-01 00:00:00 +00:00 · b74fda69bf
commit b74fda69bf
parent f5781f11eb
10 changed files with 604 additions and 64 deletions
--- a/source/include/config.h.in
+++ b/source/include/config.h.in
@ -1019,6 +1019,9 @@
 /* Define if you have the acl library (-lacl).  */
 #undef HAVE_LIBACL

+/* Define if you have the com_err library (-lcom_err).  */
+#undef HAVE_LIBCOM_ERR
+
 /* Define if you have the cups library (-lcups).  */
 #undef HAVE_LIBCUPS

@ -1031,6 +1034,9 @@
 /* Define if you have the inet library (-linet).  */
 #undef HAVE_LIBINET

+/* Define if you have the k5crypto library (-lk5crypto).  */
+#undef HAVE_LIBK5CRYPTO
+
 /* Define if you have the nsl library (-lnsl).  */
 #undef HAVE_LIBNSL

--- a/source/lib/util.c
+++ b/source/lib/util.c
@ -1913,9 +1913,9 @@ DATA_BLOB data_blob(void *p, size_t length)
 /*******************************************************************
 free a data blob
 *******************************************************************/
-void data_blob_free(DATA_BLOB d)
+void data_blob_free(DATA_BLOB *d)
 {
-	SAFE_FREE(d.data);
+	SAFE_FREE(d->data);
 }


--- a/source/libsmb/asn1.c
+++ b/source/libsmb/asn1.c
@ -87,13 +87,18 @@ BOOL asn1_pop_tag(ASN1_DATA *data)
 	/* yes, this is ugly. We don't know in advance how many bytes the length
 	   of a tag will take, so we assumed 1 byte. If we were wrong then we 
 	   need to correct our mistake */
-	if (len > 127) {
+	if (len > 255) {
 		data->data[nesting->start] = 0x82;
 		if (!asn1_write_uint8(data, 0)) return False;
 		if (!asn1_write_uint8(data, 0)) return False;
 		memmove(data->data+nesting->start+3, data->data+nesting->start+1, len);
 		data->data[nesting->start+1] = len>>8;
 		data->data[nesting->start+2] = len&0xff;
+	} else if (len > 127) {
+		data->data[nesting->start] = 0x81;
+		if (!asn1_write_uint8(data, 0)) return False;
+		memmove(data->data+nesting->start+2, data->data+nesting->start+1, len);
+		data->data[nesting->start+1] = len;
 	} else {
 		data->data[nesting->start] = len;
 	}
@ -203,14 +208,16 @@ BOOL asn1_start_tag(ASN1_DATA *data, uint8 tag)
 	asn1_read_uint8(data, &b);
 	if (b & 0x80) {
 		int n = b & 0x7f;
-		if (n != 2) {
+		if (n > 2) {
 			data->has_error = True;
 			return False;
 		}
 		asn1_read_uint8(data, &b);
-		nesting->taglen = b<<8;
-		asn1_read_uint8(data, &b);
-		nesting->taglen |= b;
+		nesting->taglen = b;
+		if (n == 2) {
+			asn1_read_uint8(data, &b);
+			nesting->taglen = (nesting->taglen << 8) | b;
+		}
 	} else {
 		nesting->taglen = b;
 	}
@ -320,7 +327,7 @@ BOOL asn1_read_GeneralString(ASN1_DATA *data, char **s)
 }

 /* read a octet string blob */
-BOOL asn1_read_octet_string(ASN1_DATA *data, DATA_BLOB *blob)
+BOOL asn1_read_OctetString(ASN1_DATA *data, DATA_BLOB *blob)
 {
 	int len;
 	if (!asn1_start_tag(data, ASN1_OCTET_STRING)) return False;
@ -345,3 +352,12 @@ BOOL asn1_check_enumerated(ASN1_DATA *data, int v)
 	asn1_end_tag(data);
 	return !data->has_error && (v == b);
 }
+
+/* check a enumarted value is correct */
+BOOL asn1_write_enumerated(ASN1_DATA *data, uint8 v)
+{
+	if (!asn1_push_tag(data, ASN1_ENUMERATED)) return False;
+	asn1_write_uint8(data, v);
+	asn1_pop_tag(data);
+	return !data->has_error;
+}
--- a/source/libsmb/cliconnect.c
+++ b/source/libsmb/cliconnect.c
@ -31,11 +31,12 @@ static  struct {
 prots[] = 
    {
      {PROTOCOL_CORE,"PC NETWORK PROGRAM 1.0"},
+      {PROTOCOL_COREPLUS,"MICROSOFT NETWORKS 1.03"},
+      {PROTOCOL_LANMAN1,"MICROSOFT NETWORKS 3.0"},
      {PROTOCOL_LANMAN1,"LANMAN1.0"},
-      {PROTOCOL_LANMAN1,"Windows for Workgroups 3.1a"},
      {PROTOCOL_LANMAN2,"LM1.2X002"},
-      {PROTOCOL_NT1,"Samba"},
-      {PROTOCOL_NT1,"LANMAN2.1"},
+      {PROTOCOL_LANMAN2,"Samba"},
+      {PROTOCOL_NT1,"NT LANMAN 1.0"},
      {PROTOCOL_NT1,"NT LM 0.12"},
      {-1,NULL}
    };
@ -394,7 +395,7 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principle, c
 	blob2 = cli_session_setup_blob(cli, negTokenTarg);

 	/* we don't need this blob for kerberos */
-	data_blob_free(blob2);
+	data_blob_free(&blob2);

 	return !cli_is_error(cli);
 }
@ -428,12 +429,12 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user,

 	/* and wrap it in a SPNEGO wrapper */
 	msg1 = gen_negTokenTarg(mechs, blob);
-	data_blob_free(blob);		
+	data_blob_free(&blob);

 	/* now send that blob on its way */
 	blob = cli_session_setup_blob(cli, msg1);

-	data_blob_free(msg1); 
+	data_blob_free(&msg1);

 	if (!NT_STATUS_EQUAL(cli_nt_error(cli), NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 		return False;
@ -445,18 +446,25 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user,

 	/* the server gives us back two challenges */
 	if (!spnego_parse_challenge(blob, &chal1, &chal2)) {
+		DEBUG(3,("Failed to parse challenges\n"));
 		return False;
 	}

-	data_blob_free(blob);		
+	data_blob_free(&blob);

 	/* encrypt the password with the challenge */
 	memcpy(challenge, chal1.data + 24, 8);
 	SMBencrypt(pass, challenge,lmhash);
 	SMBNTencrypt(pass, challenge,nthash);

-	data_blob_free(chal1);
-	data_blob_free(chal2);
+#if 0
+	file_save("nthash.dat", nthash, 24);
+	file_save("lmhash.dat", lmhash, 24);
+	file_save("chal1.dat", chal1.data, chal1.length);
+#endif
+
+	data_blob_free(&chal1);
+	data_blob_free(&chal2);

 	/* this generates the actual auth packet */
 	msrpc_gen(&blob, "CdBBUUUBd", 
@ -473,13 +481,13 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, char *user,
 	/* wrap it in SPNEGO */
 	auth = spnego_gen_auth(blob);

-	data_blob_free(blob);
+	data_blob_free(&blob);

 	/* now send the auth packet and we should be done */
 	blob = cli_session_setup_blob(cli, auth);

-	data_blob_free(auth);
-	data_blob_free(blob);
+	data_blob_free(&auth);
+	data_blob_free(&blob);

 	return !cli_is_error(cli);
 }
--- a/source/libsmb/clientgen.c
+++ b/source/libsmb/clientgen.c
@ -216,7 +216,7 @@ void cli_shutdown(struct cli_state *cli)
 	SAFE_FREE(cli->outbuf);
 	SAFE_FREE(cli->inbuf);

-	data_blob_free(cli->secblob);
+	data_blob_free(&cli->secblob);

 	if (cli->mem_ctx)
 		talloc_destroy(cli->mem_ctx);
--- a/source/libsmb/clispnego.c
+++ b/source/libsmb/clispnego.c
@ -25,12 +25,13 @@
  generate a negTokenInit packet given a GUID, a list of supported
  OIDs (the mechanisms) and a principle name string 
 */
-ASN1_DATA spnego_gen_negTokenInit(uint8 guid[16], 
+DATA_BLOB spnego_gen_negTokenInit(uint8 guid[16], 
 				  const char *OIDs[], 
 				  const char *principle)
 {
 	int i;
 	ASN1_DATA data;
+	DATA_BLOB ret;

 	memset(&data, 0, sizeof(data));

@ -66,7 +67,10 @@ ASN1_DATA spnego_gen_negTokenInit(uint8 guid[16],
 		asn1_free(&data);
 	}

-	return data;
+	ret = data_blob(data.data, data.length);
+	asn1_free(&data);
+
+	return ret;
 }


@ -166,6 +170,50 @@ DATA_BLOB gen_negTokenTarg(const char *OIDs[], DATA_BLOB blob)
 }


+/*
+  parse a negTokenTarg packet giving a list of OIDs and a security blob
+*/
+BOOL parse_negTokenTarg(DATA_BLOB blob, char *OIDs[ASN1_MAX_OIDS], DATA_BLOB *secblob)
+{
+	int i;
+	ASN1_DATA data;
+
+	asn1_load(&data, blob);
+	asn1_start_tag(&data, ASN1_APPLICATION(0));
+	asn1_check_OID(&data,OID_SPNEGO);
+	asn1_start_tag(&data, ASN1_CONTEXT(0));
+	asn1_start_tag(&data, ASN1_SEQUENCE(0));
+
+	asn1_start_tag(&data, ASN1_CONTEXT(0));
+	asn1_start_tag(&data, ASN1_SEQUENCE(0));
+	for (i=0; asn1_tag_remaining(&data) > 0 && i < ASN1_MAX_OIDS; i++) {
+		char *oid = NULL;
+		asn1_read_OID(&data,&oid);
+		OIDs[i] = oid;
+	}
+	OIDs[i] = NULL;
+	asn1_end_tag(&data);
+	asn1_end_tag(&data);
+
+	asn1_start_tag(&data, ASN1_CONTEXT(2));
+	asn1_read_OctetString(&data,secblob);
+	asn1_end_tag(&data);
+
+	asn1_end_tag(&data);
+	asn1_end_tag(&data);
+
+	asn1_end_tag(&data);
+
+	if (data.has_error) {
+		DEBUG(1,("Failed to parse negTokenTarg at offset %d\n", (int)data.ofs));
+		asn1_free(&data);
+		return False;
+	}
+
+	asn1_free(&data);
+	return True;
+}
+
 /*
  generate a krb5 GSS-API wrapper packet given a ticket
 */
@ -225,8 +273,8 @@ DATA_BLOB spnego_gen_negTokenTarg(struct cli_state *cli, char *principle)
 	/* and wrap that in a shiny SPNEGO wrapper */
 	targ = gen_negTokenTarg(krb_mechs, tkt_wrapped);

-	data_blob_free(tkt_wrapped);
-	data_blob_free(tkt);
+	data_blob_free(&tkt_wrapped);
+	data_blob_free(&tkt);

 	return targ;
 }
@ -257,13 +305,13 @@ BOOL spnego_parse_challenge(DATA_BLOB blob,
 	asn1_end_tag(&data);

 	asn1_start_tag(&data,ASN1_CONTEXT(2));
-	asn1_read_octet_string(&data, chal1);
+	asn1_read_OctetString(&data, chal1);
 	asn1_end_tag(&data);

 	/* the second challenge is optional (XP doesn't send it) */
 	if (asn1_tag_remaining(&data)) {
 		asn1_start_tag(&data,ASN1_CONTEXT(3));
-		asn1_read_octet_string(&data, chal2);
+		asn1_read_OctetString(&data, chal2);
 		asn1_end_tag(&data);
 	}

@ -275,6 +323,52 @@ BOOL spnego_parse_challenge(DATA_BLOB blob,
 	return ret;
 }

+
+/*
+  generate a spnego NTLMSSP challenge packet given two security blobs
+  The second challenge is optional
+*/
+BOOL spnego_gen_challenge(DATA_BLOB *blob,
+			  DATA_BLOB *chal1, DATA_BLOB *chal2)
+{
+	ASN1_DATA data;
+
+	ZERO_STRUCT(data);
+
+	asn1_push_tag(&data,ASN1_CONTEXT(1));
+	asn1_push_tag(&data,ASN1_SEQUENCE(0));
+
+	asn1_push_tag(&data,ASN1_CONTEXT(0));
+	asn1_write_enumerated(&data,1);
+	asn1_pop_tag(&data);
+
+	asn1_push_tag(&data,ASN1_CONTEXT(1));
+	asn1_write_OID(&data, OID_NTLMSSP);
+	asn1_pop_tag(&data);
+
+	asn1_push_tag(&data,ASN1_CONTEXT(2));
+	asn1_write_OctetString(&data, chal1->data, chal1->length);
+	asn1_pop_tag(&data);
+
+	/* the second challenge is optional (XP doesn't send it) */
+	if (chal2) {
+		asn1_push_tag(&data,ASN1_CONTEXT(3));
+		asn1_write_OctetString(&data, chal2->data, chal2->length);
+		asn1_pop_tag(&data);
+	}
+
+	asn1_pop_tag(&data);
+	asn1_pop_tag(&data);
+
+	if (data.has_error) {
+		return False;
+	}
+
+	*blob = data_blob(data.data, data.length);
+	asn1_free(&data);
+	return True;
+}
+
 /*
 generate a SPNEGO NTLMSSP auth packet. This will contain the encrypted passwords
 */
@ -298,7 +392,32 @@ DATA_BLOB spnego_gen_auth(DATA_BLOB blob)
 	asn1_free(&data);

 	return ret;
-	
+}
+
+/*
+ parse a SPNEGO NTLMSSP auth packet. This contains the encrypted passwords
+*/
+BOOL spnego_parse_auth(DATA_BLOB blob, DATA_BLOB *auth)
+{
+	ASN1_DATA data;
+
+	asn1_load(&data, blob);
+	asn1_start_tag(&data, ASN1_CONTEXT(1));
+	asn1_start_tag(&data, ASN1_SEQUENCE(0));
+	asn1_start_tag(&data, ASN1_CONTEXT(2));
+	asn1_read_OctetString(&data,auth);
+	asn1_end_tag(&data);
+	asn1_end_tag(&data);
+	asn1_end_tag(&data);
+
+	if (data.has_error) {
+		DEBUG(3,("spnego_parse_auth failed at %d\n", (int)data.ofs));
+		asn1_free(&data);
+		return False;
+	}
+
+	asn1_free(&data);
+	return True;
 }


@ -312,6 +431,7 @@ DATA_BLOB spnego_gen_auth(DATA_BLOB blob)

  U = unicode string (input is unix string)
  B = data blob (pointer + length)
+  b = data blob in header (pointer + length)
  d = word (4 bytes)
  C = constant ascii string
 */
@ -339,6 +459,10 @@ BOOL msrpc_gen(DATA_BLOB *blob,
 			head_size += 8;
 			data_size += va_arg(ap, int);
 			break;
+		case 'b':
+			b = va_arg(ap, uint8 *);
+			head_size += va_arg(ap, int);
+			break;
 		case 'd':
 			n = va_arg(ap, int);
 			head_size += 4;
@ -384,6 +508,12 @@ BOOL msrpc_gen(DATA_BLOB *blob,
 			n = va_arg(ap, int);
 			SIVAL(blob->data, head_ofs, n); head_ofs += 4;
 			break;
+		case 'b':
+			b = va_arg(ap, uint8 *);
+			n = va_arg(ap, int);
+			memcpy(blob->data + head_ofs, b, n);
+			head_ofs += n;
+			break;
 		case 'C':
 			s = va_arg(ap, char *);
 			head_ofs += push_string(NULL, blob->data+head_ofs, s, -1, 
@ -395,3 +525,81 @@ BOOL msrpc_gen(DATA_BLOB *blob,

 	return True;
 }
+
+
+/*
+  this is a tiny msrpc packet parser. This the the partner of msrpc_gen
+
+  format specifiers are:
+
+  U = unicode string (input is unix string)
+  B = data blob
+  b = data blob in header
+  d = word (4 bytes)
+  C = constant ascii string
+ */
+BOOL msrpc_parse(DATA_BLOB *blob,
+		 const char *format, ...)
+{
+	int i;
+	va_list ap;
+	char **ps, *s;
+	DATA_BLOB *b;
+	int head_ofs = 0;
+	uint16 len1, len2;
+	uint32 ptr;
+	uint32 *v;
+	pstring p;
+
+	va_start(ap, format);
+	for (i=0; format[i]; i++) {
+		switch (format[i]) {
+		case 'U':
+			len1 = SVAL(blob->data, head_ofs); head_ofs += 2;
+			len2 = SVAL(blob->data, head_ofs); head_ofs += 2;
+			ptr =  IVAL(blob->data, head_ofs); head_ofs += 4;
+			/* make sure its in the right format - be strict */
+			if (len1 != len2 || (len1&1) || ptr + len1 > blob->length) {
+				return False;
+			}
+			ps = va_arg(ap, char **);
+			pull_string(NULL, p, blob->data + ptr, -1, len1, 
+				    STR_UNICODE|STR_NOALIGN);
+			(*ps) = strdup(p);
+			break;
+		case 'B':
+			len1 = SVAL(blob->data, head_ofs); head_ofs += 2;
+			len2 = SVAL(blob->data, head_ofs); head_ofs += 2;
+			ptr =  IVAL(blob->data, head_ofs); head_ofs += 4;
+			/* make sure its in the right format - be strict */
+			if (len1 != len2 || ptr + len1 > blob->length) {
+				return False;
+			}
+			b = (DATA_BLOB *)va_arg(ap, void *);
+			*b = data_blob(blob->data + ptr, len1);
+			break;
+		case 'b':
+			b = (DATA_BLOB *)va_arg(ap, void *);
+			len1 = va_arg(ap, unsigned);
+			*b = data_blob(blob->data + head_ofs, len1);
+			head_ofs += len1;
+			break;
+		case 'd':
+			v = va_arg(ap, uint32 *);
+			*v = IVAL(blob->data, head_ofs); head_ofs += 4;
+			break;
+		case 'C':
+			s = va_arg(ap, char *);
+			head_ofs += pull_string(NULL, p, blob->data+head_ofs, -1, 
+						blob->length - head_ofs, 
+						STR_ASCII|STR_TERMINATE);
+			if (strcmp(s, p) != 0) {
+				return False;
+			}
+			break;
+		}
+	}
+	va_end(ap);
+
+	return True;
+}
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@ -113,6 +113,7 @@ typedef struct
 	char *szPasswordServer;
 	char *szSocketOptions;
 	char *szWorkGroup;
+	char *szRealm;
 	char **szDomainAdminGroup;
 	char **szDomainGuestGroup;
 	char *szUsernameMap;
@ -650,6 +651,7 @@ static struct parm_struct parm_table[] = {
 	{"path", P_STRING, P_LOCAL, &sDefault.szPath, NULL, NULL, FLAG_BASIC | FLAG_SHARE | FLAG_PRINT},
 	{"directory", P_STRING, P_LOCAL, &sDefault.szPath, NULL, NULL, 0},
 	{"workgroup", P_USTRING, P_GLOBAL, &Globals.szWorkGroup, NULL, NULL, FLAG_BASIC},
+	{"realm", P_USTRING, P_GLOBAL, &Globals.szRealm, NULL, NULL, FLAG_BASIC},
 	{"netbios name", P_UGSTRING, P_GLOBAL, global_myname, handle_netbios_name, NULL, FLAG_BASIC},
 	{"netbios aliases", P_LIST, P_GLOBAL, &Globals.szNetbiosAliases, NULL, NULL, 0},
 	{"netbios scope", P_UGSTRING, P_GLOBAL, global_scope, NULL, NULL, 0},
@ -1198,11 +1200,6 @@ static void init_globals(void)
 	string_set(&Globals.szPasswdProgram, "");
 	string_set(&Globals.szPrintcapname, PRINTCAP_NAME);
 	string_set(&Globals.szLockDir, LOCKDIR);
-#ifdef WITH_UTMP
-	string_set(&Globals.szUtmpDir, "");
-	string_set(&Globals.szWtmpDir, "");
-	Globals.bUtmp = False;
-#endif
 	string_set(&Globals.szSocketAddress, "0.0.0.0");
 	pstrcpy(s, "Samba ");
 	pstrcat(s, VERSION);
@ -1465,6 +1462,7 @@ FN_GLOBAL_STRING(lp_passwd_chat, &Globals.szPasswdChat)
 FN_GLOBAL_STRING(lp_passwordserver, &Globals.szPasswordServer)
 FN_GLOBAL_STRING(lp_name_resolve_order, &Globals.szNameResolveOrder)
 FN_GLOBAL_STRING(lp_workgroup, &Globals.szWorkGroup)
+FN_GLOBAL_STRING(lp_realm, &Globals.szRealm)
 FN_GLOBAL_STRING(lp_username_map, &Globals.szUsernameMap)
 #ifdef USING_GROUPNAME_MAP
 FN_GLOBAL_STRING(lp_groupname_map, &Globals.szGroupnameMap)
--- a/source/smbd/negprot.c
+++ b/source/smbd/negprot.c
@ -30,7 +30,7 @@ BOOL global_encrypted_passwords_negotiated;
 /****************************************************************************
 reply for the core protocol
 ****************************************************************************/
-static int reply_corep(char *outbuf)
+static int reply_corep(char *inbuf, char *outbuf)
 {
 	int outsize = set_message(outbuf,1,0,True);

@ -43,7 +43,7 @@ static int reply_corep(char *outbuf)
 /****************************************************************************
 reply for the coreplus protocol
 ****************************************************************************/
-static int reply_coreplus(char *outbuf)
+static int reply_coreplus(char *inbuf, char *outbuf)
 {
  int raw = (lp_readraw()?1:0) | (lp_writeraw()?2:0);
  int outsize = set_message(outbuf,13,0,True);
@ -62,7 +62,7 @@ static int reply_coreplus(char *outbuf)
 /****************************************************************************
 reply for the lanman 1.0 protocol
 ****************************************************************************/
-static int reply_lanman1(char *outbuf)
+static int reply_lanman1(char *inbuf, char *outbuf)
 {
  int raw = (lp_readraw()?1:0) | (lp_writeraw()?2:0);
  int secword=0;
@ -100,7 +100,7 @@ static int reply_lanman1(char *outbuf)
 /****************************************************************************
 reply for the lanman 2.0 protocol
 ****************************************************************************/
-static int reply_lanman2(char *outbuf)
+static int reply_lanman2(char *inbuf, char *outbuf)
 {
  int raw = (lp_readraw()?1:0) | (lp_writeraw()?2:0);
  int secword=0;
@ -154,10 +154,44 @@ static int reply_lanman2(char *outbuf)
 }


+
+/* 
+   generate the spnego negprot reply blob. Return the number of bytes used
+*/
+static int negprot_spnego(char *p, uint8 cryptkey[8])
+{
+	DATA_BLOB blob;
+	extern pstring global_myname;
+	uint8 guid[16];
+	const char *OIDs[] = {OID_NTLMSSP, 
+#if 0
+			      /* not till we add kerberos in the server */
+			      OID_KERBEROS5_OLD,
+#endif
+			      NULL};
+	char *principle;
+	int len;
+
+	memset(guid, 0, 16);
+	safe_strcpy(guid, global_myname, 16);
+	strlower(guid);
+
+	asprintf(&principle, "%s$@%s", guid, lp_realm());
+	blob = spnego_gen_negTokenInit(guid, OIDs, principle);
+	free(principle);
+
+	memcpy(p, blob.data, blob.length);
+	len = blob.length;
+	data_blob_free(&blob);
+	return len;
+}
+
+		
+
 /****************************************************************************
 reply for the nt protocol
 ****************************************************************************/
-static int reply_nt1(char *outbuf)
+static int reply_nt1(char *inbuf, char *outbuf)
 {
 	/* dual names + lock_and_read + nt SMBs + remote API calls */
 	int capabilities = CAP_NT_FIND|CAP_LOCK_AND_READ|
@ -166,10 +200,10 @@ static int reply_nt1(char *outbuf)
 	int secword=0;
 	time_t t = time(NULL);
 	struct cli_state *cli = NULL;
-	char cryptkey[8];
-	char crypt_len = 0;
+	uint8 cryptkey[8];
 	char *p, *q;
-	
+	BOOL negotiate_spnego = False;
+
 	global_encrypted_passwords_negotiated = lp_encrypted_passwords();

 	if (lp_security() == SEC_SERVER) {
@ -177,6 +211,14 @@ static int reply_nt1(char *outbuf)
 		cli = server_cryptkey();
 	} else {
 		DEBUG(5,("not attempting password server validation\n"));
+		/* do spnego in user level security if the client
+		   supports it and we can do encrypted passwords */
+		if (global_encrypted_passwords_negotiated && 
+		    lp_security() == SEC_USER &&
+		    (SVAL(inbuf, smb_flg2) & FLAGS2_EXTENDED_SECURITY)) {
+			negotiate_spnego = True;
+			capabilities |= CAP_EXTENDED_SECURITY;
+		}
 	}
 	
 	if (cli) {
@ -187,7 +229,6 @@ static int reply_nt1(char *outbuf)
 	}
 	
 	if (global_encrypted_passwords_negotiated) {
-		crypt_len = 8;
 		if (!cli) {
 			generate_next_challenge(cryptkey);
 		} else {
@ -224,7 +265,6 @@ static int reply_nt1(char *outbuf)
 	set_message(outbuf,17,0,True);
 	
 	CVAL(outbuf,smb_vwv1) = secword;
-	SSVALS(outbuf,smb_vwv16+1,crypt_len);
 	
 	Protocol = PROTOCOL_NT1;
 	
@ -238,8 +278,15 @@ static int reply_nt1(char *outbuf)
 	SSVALS(outbuf,smb_vwv15+1,TimeDiff(t)/60);
 	
 	p = q = smb_buf(outbuf);
-	if (global_encrypted_passwords_negotiated) memcpy(p, cryptkey, 8);
-	p += 8;
+	if (!negotiate_spnego) {
+		if (global_encrypted_passwords_negotiated) memcpy(p, cryptkey, 8);
+		SSVALS(outbuf,smb_vwv16+1,8);
+		p += 8;
+	} else {
+		int len = negprot_spnego(p, cryptkey);
+		SSVALS(outbuf,smb_vwv16+1,len);
+		p += len;
+	}
 	p += srvstr_push(outbuf, p, global_myworkgroup, -1, 
 			 STR_UNICODE|STR_TERMINATE|STR_NOALIGN);
 	
@ -322,7 +369,7 @@ protocol [LANMAN2.1]
 static struct {
  char *proto_name;
  char *short_name;
-  int (*proto_reply_fn)(char *);
+  int (*proto_reply_fn)(char *, char *);
  int protocol_level;
 } supported_protocols[] = {
  {"NT LANMAN 1.0",           "NT1",      reply_nt1,      PROTOCOL_NT1},
@ -441,7 +488,7 @@ int reply_negprot(connection_struct *conn,
    extern fstring remote_proto;
    fstrcpy(remote_proto,supported_protocols[protocol].short_name);
    reload_services(True);          
-    outsize = supported_protocols[protocol].proto_reply_fn(outbuf);
+    outsize = supported_protocols[protocol].proto_reply_fn(inbuf, outbuf);
    DEBUG(3,("Selected protocol %s\n",supported_protocols[protocol].proto_name));
  }
  else {
--- a/source/smbd/process.c
+++ b/source/smbd/process.c
@ -911,25 +911,24 @@ char *smb_fn_name(int type)

 void construct_reply_common(char *inbuf,char *outbuf)
 {
-  memset(outbuf,'\0',smb_size);
+	memset(outbuf,'\0',smb_size);

-  set_message(outbuf,0,0,True);
-  CVAL(outbuf,smb_com) = CVAL(inbuf,smb_com);
+	set_message(outbuf,0,0,True);
+	CVAL(outbuf,smb_com) = CVAL(inbuf,smb_com);
+	
+	memcpy(outbuf+4,inbuf+4,4);
+	CVAL(outbuf,smb_rcls) = SMB_SUCCESS;
+	CVAL(outbuf,smb_reh) = 0;
+	SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES)); 
+	SSVAL(outbuf,smb_flg2,
+	      FLAGS2_UNICODE_STRINGS | FLAGS2_LONG_PATH_COMPONENTS |
+	      FLAGS2_32_BIT_ERROR_CODES | FLAGS2_EXTENDED_SECURITY);

-  memcpy(outbuf+4,inbuf+4,4);
-  CVAL(outbuf,smb_rcls) = SMB_SUCCESS;
-  CVAL(outbuf,smb_reh) = 0;
-  SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES)); /* bit 7 set
-                                 means a reply */
-  SSVAL(outbuf,smb_flg2,
-	(SVAL(inbuf,smb_flg2)&FLAGS2_UNICODE_STRINGS) | FLAGS2_LONG_PATH_COMPONENTS);
-	/* say we support long filenames */
-
-  SSVAL(outbuf,smb_err,SMB_SUCCESS);
-  SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
-  SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
-  SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
-  SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
+	SSVAL(outbuf,smb_err,SMB_SUCCESS);
+	SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
+	SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
+	SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
+	SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
 }

 /****************************************************************************
--- a/source/smbd/sesssetup.c
+++ b/source/smbd/sesssetup.c
@ -22,6 +22,259 @@

 #include "includes.h"

+
+/****************************************************************************
+send a security blob via a session setup reply
+****************************************************************************/
+static BOOL reply_sesssetup_blob(connection_struct *conn, char *outbuf,
+				 DATA_BLOB blob)
+{
+	char *p;
+
+	set_message(outbuf,4,0,True);
+
+	/* we set NT_STATUS_MORE_PROCESSING_REQUIRED to tell the other end
+	   that we aren't finished yet */
+
+	SIVAL(outbuf, smb_rcls, NT_STATUS_V(NT_STATUS_MORE_PROCESSING_REQUIRED));
+	SSVAL(outbuf, smb_vwv0, 0xFF); /* no chaining possible */
+	SSVAL(outbuf, smb_vwv3, blob.length);
+	p = smb_buf(outbuf);
+	memcpy(p, blob.data, blob.length);
+	p += blob.length;
+	p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE);
+	p += srvstr_push(outbuf, p, "Samba", -1, STR_TERMINATE);
+	p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE);
+	set_message_end(outbuf,p);
+	
+	return send_smb(smbd_server_fd(),outbuf);
+}
+
+
+
+
+/****************************************************************************
+reply to a session setup spnego negotiate packet
+****************************************************************************/
+static int reply_spnego_negotiate(connection_struct *conn, char *outbuf,
+				  DATA_BLOB blob1)
+{
+	char *OIDs[ASN1_MAX_OIDS];
+	DATA_BLOB secblob;
+	int i;
+	uint32 ntlmssp_command, neg_flags;
+	DATA_BLOB sess_key, chal, spnego_chal;
+	uint8 cryptkey[8];
+
+	/* parse out the OIDs and the first sec blob */
+	if (!parse_negTokenTarg(blob1, OIDs, &secblob)) {
+		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+	}
+	
+	for (i=0;OIDs[i];i++) {
+		DEBUG(3,("Got OID %s\n", OIDs[i]));
+		free(OIDs[i]);
+	}
+	DEBUG(3,("Got secblob of size %d\n", secblob.length));
+
+	/* parse the NTLMSSP packet */
+#if 0
+	file_save("secblob.dat", secblob.data, secblob.length);
+#endif
+
+	msrpc_parse(&secblob, "CddB",
+		    "NTLMSSP",
+		    &ntlmssp_command,
+		    &neg_flags,
+		    &sess_key);
+
+	data_blob_free(&secblob);
+	data_blob_free(&sess_key);
+
+	if (ntlmssp_command != NTLMSSP_NEGOTIATE) {
+		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+	}
+
+	DEBUG(3,("Got neg_flags=%08x\n", neg_flags));
+
+	last_challenge(cryptkey);
+
+	/* Give them the challenge. For now, ignore neg_flags and just
+	   return the flags we want. Obviously this is not correct */
+	
+	neg_flags = NTLMSSP_NEGOTIATE_UNICODE | 
+		NTLMSSP_NEGOTIATE_LM_KEY | 
+		NTLMSSP_NEGOTIATE_NTLM;
+
+	msrpc_gen(&chal, "Cddddbdddd",
+		  "NTLMSSP", 
+		  NTLMSSP_CHALLENGE,
+		  0,
+		  0x30, /* ?? */
+		  neg_flags,
+		  cryptkey, 8,
+		  0, 0, 0,
+		  0x3000); /* ?? */
+
+	if (!spnego_gen_challenge(&spnego_chal, &chal, &chal)) {
+		DEBUG(3,("Failed to generate challenge\n"));
+		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+	}
+
+	/* now tell the client to send the auth packet */
+	reply_sesssetup_blob(conn, outbuf, spnego_chal);
+
+	data_blob_free(&chal);
+	data_blob_free(&spnego_chal);
+
+	/* and tell smbd that we have already replied to this packet */
+	return -1;
+}
+
+	
+/****************************************************************************
+reply to a session setup spnego auth packet
+****************************************************************************/
+static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
+			     int length, int bufsize,
+			     DATA_BLOB blob1)
+{
+	DATA_BLOB auth;
+	char *workgroup, *user, *machine;
+	DATA_BLOB lmhash, nthash, sess_key;
+	uint32 ntlmssp_command, neg_flags;
+	NTSTATUS nt_status;
+	int sess_vuid;
+	gid_t gid;
+	uid_t uid;
+	char *full_name;
+	char *p;
+	const struct passwd *pw;
+
+	if (!spnego_parse_auth(blob1, &auth)) {
+		file_save("auth.dat", blob1.data, blob1.length);
+		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+	}
+
+	/* now the NTLMSSP encoded auth hashes */
+	if (!msrpc_parse(&auth, "CdBBUUUBd", 
+			 "NTLMSSP", 
+			 &ntlmssp_command, 
+			 &lmhash,
+			 &nthash,
+			 &workgroup, 
+			 &user, 
+			 &machine,
+			 &sess_key,
+			 &neg_flags)) {
+		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+	}
+
+	data_blob_free(&auth);
+	data_blob_free(&sess_key);
+	
+	DEBUG(3,("Got user=[%s] workgroup=[%s] machine=[%s] len1=%d len2=%d\n",
+		 user, workgroup, machine, lmhash.length, nthash.length));
+
+#if 0
+	file_save("nthash1.dat", nthash.data, nthash.length);
+	file_save("lmhash1.dat", lmhash.data, lmhash.length);
+#endif
+
+	nt_status = pass_check_smb(user, user, 
+				   workgroup, machine,
+				   lmhash.data,
+				   lmhash.length,
+				   nthash.data,
+				   nthash.length);
+
+	data_blob_free(&nthash);
+	data_blob_free(&lmhash);
+
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return ERROR_NT(nt_status);
+	}
+
+	/* the password is good - let them in */
+	pw = smb_getpwnam(user,False);
+	if (!pw) {
+		DEBUG(1,("Username %s is invalid on this system\n",user));
+		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+	}
+	gid = pw->pw_gid;
+	uid = pw->pw_uid;
+	full_name = pw->pw_gecos;
+
+	sess_vuid = register_vuid(uid,gid,user,user,workgroup,False, full_name);
+
+	free(user);
+	free(workgroup);
+	free(machine);
+	
+	if (sess_vuid == -1) {
+		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+	}
+
+	set_message(outbuf,4,0,True);
+	SSVAL(outbuf, smb_vwv3, 0);
+	p = smb_buf(outbuf);
+	p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE);
+	p += srvstr_push(outbuf, p, "Samba", -1, STR_TERMINATE);
+	p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE);
+	set_message_end(outbuf,p);
+ 
+	SSVAL(outbuf,smb_uid,sess_vuid);
+	SSVAL(inbuf,smb_uid,sess_vuid);
+	
+	return chain_reply(inbuf,outbuf,length,bufsize);
+}
+
+
+/****************************************************************************
+reply to a session setup command
+****************************************************************************/
+static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,char *outbuf,
+					int length,int bufsize)
+{
+	uint8 *p;
+	DATA_BLOB blob1;
+	extern uint32 global_client_caps;
+	int ret;
+
+	chdir("/home/tridge");
+
+	if (global_client_caps == 0) {
+		global_client_caps = IVAL(inbuf,smb_vwv10);
+	}
+		
+	p = smb_buf(inbuf);
+
+	/* pull the spnego blob */
+	blob1 = data_blob(p, SVAL(inbuf, smb_vwv7));
+	
+	if (blob1.data[0] == ASN1_APPLICATION(0)) {
+		/* its a negTokenTarg packet */
+		ret = reply_spnego_negotiate(conn, outbuf, blob1);
+		data_blob_free(&blob1);
+		return ret;
+	}
+
+	if (blob1.data[0] == ASN1_CONTEXT(1)) {
+		/* its a auth packet */
+		ret = reply_spnego_auth(conn, inbuf, outbuf, length, bufsize, blob1);
+		data_blob_free(&blob1);
+		return ret;
+	}
+
+	/* what sort of packet is this? */
+	DEBUG(1,("Unknown packet in reply_sesssetup_and_X_spnego\n"));
+
+	data_blob_free(&blob1);
+
+	return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+}
+
+
 /****************************************************************************
 reply to a session setup command
 ****************************************************************************/
@ -53,6 +306,11 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
 	BOOL doencrypt = global_encrypted_passwords_negotiated;
 	START_PROFILE(SMBsesssetupX);
 	
+	if (SVAL(inbuf, smb_flg2) & FLAGS2_EXTENDED_SECURITY) {
+		/* it's a SPNEGO session setup */
+		return reply_sesssetup_and_X_spnego(conn, inbuf, outbuf, length, bufsize);
+	}
+
 	*smb_apasswd = *smb_ntpasswd = 0;
 	
 	smb_bufsize = SVAL(inbuf,smb_vwv2);