CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos

We should not send NTLM[v2] nor plaintext data on the wire if the user
asked for kerberos only.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444

Signed-off-by: Stefan Metzmacher <metze@samba.org>

1 files changed, 9 insertions, 0 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 1fb1f0127b9..a79abfaf157 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1443,6 +1443,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
 	uint32_t in_sess_key = 0;
 	const char *in_native_os = NULL;
 	const char *in_native_lm = NULL;
+	enum credentials_use_kerberos krb5_state =
+		cli_credentials_get_kerberos_state(creds);
 	NTSTATUS status;
 
 	req = tevent_req_create(mem_ctx, &state,
@@ -1484,6 +1486,13 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
 		return req;
 	}
 
+	if (krb5_state == CRED_MUST_USE_KERBEROS) {
+		DBG_WARNING("Kerberos authentication requested, but "
+			    "the server does not support SPNEGO authentication\n");
+		tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+		return tevent_req_post(req, ev);
+	}
+
 	if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) {
 		/*
 		 * SessionSetupAndX was introduced by LANMAN 1.0. So we skip