sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-02 09:47:23 +03:00
Code

CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos

Browse Source 
We should not send NTLM[v2] nor plaintext data on the wire if the user
asked for kerberos only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444

Signed-off-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Stefan Metzmacher 2016-10-27 10:40:28 +02:00 committed by Jule Anger
parent 93dad333a2
commit c17f4256e5
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
source3/libsmb/cliconnect.c
View File

@ -1450,6 +1450,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
uint32_t in_sess_key = 0;
const char *in_native_os = NULL;
const char *in_native_lm = NULL;
enum credentials_use_kerberos krb5_state =
cli_credentials_get_kerberos_state(creds);
NTSTATUS status;
req = tevent_req_create(mem_ctx, &state,
@ -1491,6 +1493,13 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
return req;
}
if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
DBG_WARNING("Kerberos authentication requested, but "
"the server does not support SPNEGO authentication\n");
tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
return tevent_req_post(req, ev);
}
if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) {
/*
* SessionSetupAndX was introduced by LANMAN 1.0. So we skip