Cleint-side-auth/kerberos fixes from HEAD, and don't connect to a share

twice, let the libsmb code determine what form the share name should take.

Andrew Bartlett

3 files changed, 67 insertions, 25 deletions

diff --git a/source/client/client.c b/source/client/client.c
index 4761b0ae5c5..5da12fd984f 100644
--- a/source/client/client.c
+++ b/source/client/client.c
@@ -41,6 +41,7 @@ static pstring password;
 static pstring username;
 static pstring workgroup;
 static char *cmdstr;
+static BOOL got_user;
 static BOOL got_pass;
 static int io_bufsize = 64512;
 static BOOL use_kerberos;
@@ -2433,24 +2434,9 @@ static struct cli_state *do_connect(const char *server, const char *share)
 
 	if (!cli_send_tconX(c, sharename, "?????",
 			    password, strlen(password)+1)) {
-		pstring full_share;
-
-		/*
-		 * Some servers require \\server\share for the share
-		 * while others are happy with share as we gave above
-		 * Lets see if we give it the long form if it works
-		 */
-		pstrcpy(full_share, "\\\\");
-		pstrcat(full_share, server);
-		pstrcat(full_share, "\\");
-		pstrcat(full_share, sharename);
-		if (!cli_send_tconX(c, full_share, "?????", password,
-					strlen(password) + 1)) {
-
-			d_printf("tree connect failed: %s\n", cli_errstr(c));
-			cli_shutdown(c);
-			return NULL;
-		}
+		d_printf("tree connect failed: %s\n", cli_errstr(c));
+		cli_shutdown(c);
+		return NULL;
 	}
 
 	DEBUG(4,(" tconx ok\n"));
@@ -2889,6 +2875,8 @@ static void remember_query_host(const char *arg,
 		case 'U':
 			{
 				char *lp;
+
+				got_user = True;
 				pstrcpy(username,optarg);
 				if ((lp=strchr_m(username,'%'))) {
 					*lp = 0;
@@ -2985,7 +2973,6 @@ static void remember_query_host(const char *arg,
 		case 'k':
 #ifdef HAVE_KRB5
 			use_kerberos = True;
-			got_pass = True;
 #else
 			d_printf("No kerberos support compiled in\n");
 			exit(1);
@@ -2997,6 +2984,9 @@ static void remember_query_host(const char *arg,
 		}
 	}
 
+	if (use_kerberos && !got_user)
+			got_pass = True;
+
 	init_names();
 
 	if(*new_name_resolve_order)
diff --git a/source/client/smbmount.c b/source/client/smbmount.c
index 2c70f3ff50a..e2372d02b4e 100644
--- a/source/client/smbmount.c
+++ b/source/client/smbmount.c
@@ -41,12 +41,16 @@ static pstring options;
 static struct in_addr dest_ip;
 static BOOL have_ip;
 static int smb_port = 0;
+static BOOL got_user;
 static BOOL got_pass;
 static uid_t mount_uid;
 static gid_t mount_gid;
 static int mount_ro;
 static unsigned mount_fmask;
 static unsigned mount_dmask;
+static BOOL use_kerberos;
+/* TODO: Add code to detect smbfs version in kernel */
+static BOOL status32_smbfs = False;
 
 static void usage(void);
 
@@ -155,7 +159,14 @@ static struct cli_state *do_connection(char *the_service)
 	}
 
 	/* SPNEGO doesn't work till we get NTSTATUS error support */
-	c->use_spnego = False;
+	/* But it is REQUIRED for kerberos authentication */
+	if(!use_kerberos) c->use_spnego = False;
+
+	/* The kernel doesn't yet know how to sign it's packets */
+	c->sign_info.allow_smb_signing = False;
+
+	/* Use kerberos authentication if specified */
+	c->use_kerberos = use_kerberos;
 
 	if (!cli_session_request(c, &calling, &called)) {
 		char *p;
@@ -190,9 +201,17 @@ static struct cli_state *do_connection(char *the_service)
 
 	/* This should be right for current smbfs. Future versions will support
 	  large files as well as unicode and oplocks. */
-	c->capabilities &= ~(CAP_UNICODE | CAP_LARGE_FILES | CAP_NT_SMBS |
-				CAP_NT_FIND | CAP_STATUS32 | CAP_LEVEL_II_OPLOCKS);
-	c->force_dos_errors = True;
+	if (status32_smbfs) {
+	    c->capabilities &= ~(CAP_UNICODE | CAP_LARGE_FILES | CAP_NT_SMBS |
+                                 CAP_NT_FIND | CAP_LEVEL_II_OPLOCKS);
+	}
+	else {
+	    c->capabilities &= ~(CAP_UNICODE | CAP_LARGE_FILES | CAP_NT_SMBS |
+				 CAP_NT_FIND | CAP_STATUS32 |
+				 CAP_LEVEL_II_OPLOCKS);
+	    c->force_dos_errors = True;
+	}
+
 	if (!cli_session_setup(c, username, 
 			       password, strlen(password),
 			       password, strlen(password),
@@ -504,6 +523,9 @@ static void init_mount(void)
 		fprintf(stderr,"smbmnt failed: %d\n", WEXITSTATUS(status));
 		/* FIXME: do some proper error handling */
 		exit(1);
+	} else if (WIFSIGNALED(status)) {
+		fprintf(stderr, "smbmnt killed by signal %d\n", WTERMSIG(status));
+		exit(1);
 	}
 
 	/* Ok...  This is the rubicon for that mount point...  At any point
@@ -623,8 +645,9 @@ static void read_credentials_file(char *filename)
 			pstrcpy(password, val);
 			got_pass = True;
 		}
-		else if (strwicmp("username", param) == 0)
+		else if (strwicmp("username", param) == 0) {
 			pstrcpy(username, val);
+		}
 
 		memset(buf, 0, sizeof(buf));
 	}
@@ -646,6 +669,7 @@ static void usage(void)
       username=<arg>                  SMB username\n\
       password=<arg>                  SMB password\n\
       credentials=<filename>          file with username/password\n\
+      krb                             use kerberos (active directory)\n\
       netbiosname=<arg>               source NetBIOS name\n\
       uid=<arg>                       mount uid or username\n\
       gid=<arg>                       mount gid or groupname\n\
@@ -687,6 +711,17 @@ static void parse_mount_smb(int argc, char **argv)
 	int val;
 	char *p;
 
+	/* FIXME: This function can silently fail if the arguments are
+	 * not in the expected order.
+
+	> The arguments syntax of smbmount 2.2.3a (smbfs of Debian stable)
+	> requires that one gives "-o" before further options like username=...
+	> . Without -o, the username=.. setting is *silently* ignored. I've
+	> spent about an hour trying to find out why I couldn't log in now..
+
+	*/
+
+
 	if (argc < 2 || argv[1][0] == '-') {
 		usage();
 		exit(1);
@@ -721,6 +756,7 @@ static void parse_mount_smb(int argc, char **argv)
                         if (!strcmp(opts, "username") || 
 			    !strcmp(opts, "logon")) {
 				char *lp;
+				got_user = True;
 				pstrcpy(username,opteq+1);
 				if ((lp=strchr_m(username,'%'))) {
 					*lp = 0;
@@ -778,6 +814,16 @@ static void parse_mount_smb(int argc, char **argv)
 			} else if(!strcmp(opts, "guest")) {
 				*password = '\0';
 				got_pass = True;
+			} else if(!strcmp(opts, "krb")) {
+#ifdef HAVE_KRB5
+
+				use_kerberos = True;
+				if(!status32_smbfs)
+					fprintf(stderr, "Warning: kerberos support will only work for samba servers\n");
+#else
+				fprintf(stderr,"No kerberos support compiled in\n");
+				exit(1);
+#endif
 			} else if(!strcmp(opts, "rw")) {
 				mount_ro = 0;
 			} else if(!strcmp(opts, "ro")) {
@@ -862,6 +908,10 @@ static void parse_mount_smb(int argc, char **argv)
 
 	parse_mount_smb(argc, argv);
 
+	if (use_kerberos && !got_user) {
+		got_pass = True;
+	}
+
 	if (*credentials != 0) {
 		read_credentials_file(credentials);
 	}
diff --git a/source/torture/torture.c b/source/torture/torture.c
index 5466d8ef9ee..3fd0d7aa667 100644
--- a/source/torture/torture.c
+++ b/source/torture/torture.c
@@ -4018,6 +4018,7 @@ static void usage(void)
 {
 	int opt, i;
 	char *p;
+	int gotuser = 0;
 	int gotpass = 0;
 	extern char *optarg;
 	extern int optind;
@@ -4103,13 +4104,13 @@ static void usage(void)
 		case 'k':
 #ifdef HAVE_KRB5
 			use_kerberos = True;
-			gotpass = True;
 #else
 			d_printf("No kerberos support compiled in\n");
 			exit(1);
 #endif
 			break;
 		case 'U':
+			gotuser = 1;
 			fstrcpy(username,optarg);
 			p = strchr_m(username,'%');
 			if (p) {
@@ -4124,6 +4125,7 @@ static void usage(void)
 		}
 	}
 
+	if(use_kerberos && !gotuser) gotpass = True;
 
 	while (!gotpass) {
 		p = getpass("Password:");