diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-10-27 10:40:28 +0200 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2021-11-08 10:52:13 +0100 |
commit | 721e40dd379a85e153c31b294d1054eeb3718aa0 (patch) | |
tree | 05bd8fe84421bdf8cb11c59fb6dc5f3ff4972f83 | |
parent | 4290223ed40183e5f01c25da00df438b9ccf302a (diff) | |
download | samba-721e40dd379a85e153c31b294d1054eeb3718aa0.tar.gz |
CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos
We should not send NTLM[v2] nor plaintext data on the wire if the user
asked for kerberos only.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
Signed-off-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r-- | source3/libsmb/cliconnect.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 1fb1f0127b9..a79abfaf157 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1443,6 +1443,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx, uint32_t in_sess_key = 0; const char *in_native_os = NULL; const char *in_native_lm = NULL; + enum credentials_use_kerberos krb5_state = + cli_credentials_get_kerberos_state(creds); NTSTATUS status; req = tevent_req_create(mem_ctx, &state, @@ -1484,6 +1486,13 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx, return req; } + if (krb5_state == CRED_MUST_USE_KERBEROS) { + DBG_WARNING("Kerberos authentication requested, but " + "the server does not support SPNEGO authentication\n"); + tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + return tevent_req_post(req, ev); + } + if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) { /* * SessionSetupAndX was introduced by LANMAN 1.0. So we skip |