mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
auth/ntlmssp: do map to guest checking after the authentication
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
This commit is contained in:
parent
79a71545bf
commit
d667520568
@ -131,21 +131,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
|
||||
ntlmssp_state->allow_lm_key = true;
|
||||
}
|
||||
|
||||
if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) {
|
||||
/*
|
||||
* map to guest is not secure anyway, so
|
||||
* try to make it work and don't try to
|
||||
* negotiate new_spnego and MIC checking
|
||||
*/
|
||||
ntlmssp_state->force_old_spnego = true;
|
||||
}
|
||||
|
||||
if (role == ROLE_ACTIVE_DIRECTORY_DC) {
|
||||
/*
|
||||
* map to guest is not supported on an AD DC.
|
||||
*/
|
||||
ntlmssp_state->force_old_spnego = false;
|
||||
}
|
||||
ntlmssp_state->force_old_spnego = false;
|
||||
|
||||
ntlmssp_state->neg_flags =
|
||||
NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION;
|
||||
|
@ -31,6 +31,9 @@
|
||||
#include "auth/gensec/gensec.h"
|
||||
#include "auth/gensec/gensec_internal.h"
|
||||
#include "auth/common_auth.h"
|
||||
#include "param/param.h"
|
||||
#include "param/loadparm.h"
|
||||
#include "libcli/security/session.h"
|
||||
|
||||
/**
|
||||
* Determine correct target name flags for reply, given server role
|
||||
@ -700,6 +703,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
|
||||
struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
|
||||
struct auth4_context *auth_context = gensec_security->auth_context;
|
||||
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
|
||||
struct auth_session_info *session_info = NULL;
|
||||
struct auth_usersupplied_info *user_info;
|
||||
|
||||
user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
|
||||
@ -736,6 +740,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
|
||||
|
||||
NT_STATUS_NOT_OK_RETURN(nt_status);
|
||||
|
||||
if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST
|
||||
&& auth_context->generate_session_info != NULL)
|
||||
{
|
||||
NTSTATUS tmp_status;
|
||||
|
||||
/*
|
||||
* We need to check if the auth is anonymous or mapped to guest
|
||||
*/
|
||||
tmp_status = auth_context->generate_session_info(auth_context, mem_ctx,
|
||||
gensec_ntlmssp->server_returned_info,
|
||||
gensec_ntlmssp->ntlmssp_state->user,
|
||||
AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
|
||||
&session_info);
|
||||
if (!NT_STATUS_IS_OK(tmp_status)) {
|
||||
/*
|
||||
* We don't care about failures,
|
||||
* the worst result is that we try MIC checking
|
||||
* for a map to guest authentication.
|
||||
*/
|
||||
TALLOC_FREE(session_info);
|
||||
}
|
||||
}
|
||||
|
||||
if (session_info != NULL) {
|
||||
if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
|
||||
/*
|
||||
* Anonymous and GUEST are not secure anyway.
|
||||
* avoid new_spnego and MIC checking.
|
||||
*/
|
||||
ntlmssp_state->new_spnego = false;
|
||||
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
|
||||
ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
|
||||
}
|
||||
TALLOC_FREE(session_info);
|
||||
}
|
||||
|
||||
talloc_steal(mem_ctx, user_session_key->data);
|
||||
talloc_steal(mem_ctx, lm_session_key->data);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user