sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

s3:libsmb: use anonymous authentication via spnego if possible

Browse Source 
This makes the authentication consistent between
SMB1 with CAP_EXTENDED_SECURITY (introduced in Windows 2000)
and SNB2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
This commit is contained in:
Stefan Metzmacher 2016-04-19 07:33:03 +02:00
parent fa5799207e
commit e72ad193a5
1 changed files with 29 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
source3/libsmb/cliconnect.c
View File

@ -1643,6 +1643,19 @@ static void cli_session_setup_gensec_ready(struct tevent_req *req)
}
}
if (state->is_anonymous) {
/*
* Windows server does not set the
* SMB2_SESSION_FLAG_IS_NULL flag.
*
* This fix makes sure we do not try
* to verify a signature on the final
* session setup response.
*/
tevent_req_done(req);
return;
}
status = gensec_session_key(state->auth_generic->gensec_security,
state, &state->session_key);
if (tevent_req_nterror(req, status)) {
@ -1652,20 +1665,6 @@ static void cli_session_setup_gensec_ready(struct tevent_req *req)
if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) {
struct smbXcli_session *session = state->cli->smb2.session;
if (state->is_anonymous) {
/*
* Windows server does not set the
* SMB2_SESSION_FLAG_IS_GUEST nor
* SMB2_SESSION_FLAG_IS_NULL flag.
*
* This fix makes sure we do not try
* to verify a signature on the final
* session setup response.
*/
tevent_req_done(req);
return;
}
status = smb2cli_session_set_session_key(session,
state->session_key,
state->recv_iov);
@ -2095,6 +2094,21 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx,
return req;
}
/*
* if the server supports extended security then use SPNEGO
* even for anonymous connections.
*/
if (smb1cli_conn_capabilities(cli->conn) & CAP_EXTENDED_SECURITY) {
subreq = cli_session_setup_spnego_send(
state, ev, cli, user, pass, workgroup);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
tevent_req_set_callback(subreq, cli_session_setup_done_spnego,
req);
return req;
}
/* if no user is supplied then we have to do an anonymous connection.
passwords are ignored */
@ -2143,18 +2157,7 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx,
return req;
}
/* if the server supports extended security then use SPNEGO */
if (smb1cli_conn_capabilities(cli->conn) & CAP_EXTENDED_SECURITY) {
subreq = cli_session_setup_spnego_send(
state, ev, cli, user, pass, workgroup);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
tevent_req_set_callback(subreq, cli_session_setup_done_spnego,
req);
return req;
} else {
{
/* otherwise do a NT1 style session setup */
if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) {
/*