diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-04-19 07:33:03 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2016-04-29 12:06:26 +0200 |
commit | 40c1d53a983f943798f6f689eeeca18d7751fa63 (patch) | |
tree | 7c0368521d1bbb7510763d8132ff863131ccb9de | |
parent | 0eebd689c51bddc140b0c00fb10242bace07de2d (diff) | |
download | samba-40c1d53a983f943798f6f689eeeca18d7751fa63.tar.gz |
s3:libsmb: use anonymous authentication via spnego if possible
This makes the authentication consistent between
SMB1 with CAP_EXTENDED_SECURITY (introduced in Windows 2000)
and SNB2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit e72ad193a53e20b769f798d02c0610f91859bd38)
-rw-r--r-- | source3/libsmb/cliconnect.c | 55 |
1 files changed, 29 insertions, 26 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index c4ac605396c..420fe3c5e04 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1661,6 +1661,19 @@ static void cli_session_setup_gensec_ready(struct tevent_req *req) } } + if (state->is_anonymous) { + /* + * Windows server does not set the + * SMB2_SESSION_FLAG_IS_NULL flag. + * + * This fix makes sure we do not try + * to verify a signature on the final + * session setup response. + */ + tevent_req_done(req); + return; + } + status = gensec_session_key(state->auth_generic->gensec_security, state, &state->session_key); if (tevent_req_nterror(req, status)) { @@ -1670,20 +1683,6 @@ static void cli_session_setup_gensec_ready(struct tevent_req *req) if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) { struct smbXcli_session *session = state->cli->smb2.session; - if (state->is_anonymous) { - /* - * Windows server does not set the - * SMB2_SESSION_FLAG_IS_GUEST nor - * SMB2_SESSION_FLAG_IS_NULL flag. - * - * This fix makes sure we do not try - * to verify a signature on the final - * session setup response. - */ - tevent_req_done(req); - return; - } - status = smb2cli_session_set_session_key(session, state->session_key, state->recv_iov); @@ -2121,6 +2120,21 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx, return req; } + /* + * if the server supports extended security then use SPNEGO + * even for anonymous connections. + */ + if (smb1cli_conn_capabilities(cli->conn) & CAP_EXTENDED_SECURITY) { + subreq = cli_session_setup_spnego_send( + state, ev, cli, user, pass, workgroup); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, cli_session_setup_done_spnego, + req); + return req; + } + /* if no user is supplied then we have to do an anonymous connection. passwords are ignored */ @@ -2169,18 +2183,7 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx, return req; } - /* if the server supports extended security then use SPNEGO */ - - if (smb1cli_conn_capabilities(cli->conn) & CAP_EXTENDED_SECURITY) { - subreq = cli_session_setup_spnego_send( - state, ev, cli, user, pass, workgroup); - if (tevent_req_nomem(subreq, req)) { - return tevent_req_post(req, ev); - } - tevent_req_set_callback(subreq, cli_session_setup_done_spnego, - req); - return req; - } else { + { /* otherwise do a NT1 style session setup */ if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) { /* |