starting to sync for 3.0beta2

author: Gerald Carter <jerry@samba.org> 2003-07-01 14:40:47 +0000
committer: Gerald Carter <jerry@samba.org> 2003-07-01 14:40:47 +0000
commit: 4ef35ae91af666801bc5391e45372328cf1d47a1 (patch)
tree: 3797a02991a429be1fd4e18de7434556d97e9000 /source/libsmb/cliconnect.c
parent: a3fdb5536c3938453b3b56c02bfaf8fab3913619 (diff)
download: samba-4ef35ae91af666801bc5391e45372328cf1d47a1.tar.gz
1 files changed, 56 insertions, 14 deletions
diff --git a/source/libsmb/cliconnect.c b/source/libsmb/cliconnect.c
index 8ebac7bae7b..18125e26c30 100644
--- a/source/libsmb/cliconnect.c
+++ b/source/libsmb/cliconnect.c
@@ -293,14 +293,18 @@ static BOOL cli_session_setup_nt1(struct cli_state *cli, const char *user,
 			uchar nt_hash[16];
 			E_md4hash(pass, nt_hash);
 
+			nt_response = data_blob(NULL, 24);
+			SMBNTencrypt(pass,cli->secblob.data,nt_response.data);
+
 			/* non encrypted password supplied. Ignore ntpass. */
 			if (lp_client_lanman_auth()) {
 				lm_response = data_blob(NULL, 24);
-				SMBencrypt(pass,cli->secblob.data,lm_response.data);
+				SMBencrypt(pass,cli->secblob.data, lm_response.data);
+			} else {
+				/* LM disabled, place NT# in LM feild instead */
+				lm_response = data_blob(nt_response.data, nt_response.length);
 			}
 
-			nt_response = data_blob(NULL, 24);
-			SMBNTencrypt(pass,cli->secblob.data,nt_response.data);
 			session_key = data_blob(NULL, 16);
 			SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
 		}
@@ -449,6 +453,8 @@ static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli)
 	return blob2;
 }
 
+#ifdef HAVE_KRB5
+
 /****************************************************************************
  Send a extended security session setup blob, returning a reply blob.
 ****************************************************************************/
@@ -463,7 +469,6 @@ static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
 	return cli_session_setup_blob_receive(cli);
 }
 
-#ifdef HAVE_KRB5
 /****************************************************************************
  Use in-memory credentials cache
 ****************************************************************************/
@@ -499,7 +504,8 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, const char *princi
 
 	return !cli_is_error(cli);
 }
-#endif
+#endif	/* HAVE_KRB5 */
+
 
 /****************************************************************************
  Do a spnego/NTLMSSP encrypted session setup.
@@ -575,7 +581,6 @@ static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
 			}
 			data_blob_free(&tmp_blob);
 		} else {
-			/* the server might give us back two challenges */
 			if (!spnego_parse_auth_response(blob, nt_status, 
 							&blob_in)) {
 				DEBUG(3,("Failed to parse auth response\n"));
@@ -713,8 +718,22 @@ BOOL cli_session_setup(struct cli_state *cli,
 
 	/* if its an older server then we have to use the older request format */
 
-	if (cli->protocol < PROTOCOL_NT1)
+	if (cli->protocol < PROTOCOL_NT1) {
+		if (!lp_client_lanman_auth() && passlen != 24 && (*pass)) {
+			DEBUG(1, ("Server requested LM password but 'client lanman auth'"
+				  " is disabled\n"));
+			return False;
+		}
+
+		if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0 &&
+		    !lp_client_plaintext_auth() && (*pass)) {
+			DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'"
+				  " is disabled\n"));
+			return False;
+		}
+
 		return cli_session_setup_lanman2(cli, user, pass, passlen, workgroup);
+	}
 
 	/* if no user is supplied then we have to do an anonymous connection.
 	   passwords are ignored */
@@ -726,17 +745,21 @@ BOOL cli_session_setup(struct cli_state *cli,
            password at this point. The password is sent in the tree
            connect */
 
-	if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0)
+	if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0) 
 		return cli_session_setup_plaintext(cli, user, "", workgroup);
 
 	/* if the server doesn't support encryption then we have to use 
 	   plaintext. The second password is ignored */
 
-	if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0)
+	if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
+		if (!lp_client_plaintext_auth() && (*pass)) {
+			DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'"
+				  " is disabled\n"));
+			return False;
+		}
 		return cli_session_setup_plaintext(cli, user, pass, workgroup);
+	}
 
-	/* Indidicate signing */
-	
 	/* if the server supports extended security then use SPNEGO */
 
 	if (cli->capabilities & CAP_EXTENDED_SECURITY)
@@ -789,6 +812,12 @@ BOOL cli_send_tconX(struct cli_state *cli,
 	}
 
 	if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && *pass && passlen != 24) {
+		if (!lp_client_lanman_auth()) {
+			DEBUG(1, ("Server requested LANMAN password but 'client use lanman auth'"
+				  " is disabled\n"));
+			return False;
+		}
+
 		/*
 		 * Non-encrypted passwords - convert to DOS codepage before encryption.
 		 */
@@ -796,10 +825,17 @@ BOOL cli_send_tconX(struct cli_state *cli,
 		SMBencrypt(pass,cli->secblob.data,(uchar *)pword);
 	} else {
 		if((cli->sec_mode & (NEGOTIATE_SECURITY_USER_LEVEL|NEGOTIATE_SECURITY_CHALLENGE_RESPONSE)) == 0) {
+			if (!lp_client_plaintext_auth() && (*pass)) {
+				DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'"
+					  " is disabled\n"));
+				return False;
+			}
+
 			/*
 			 * Non-encrypted passwords - convert to DOS codepage before using.
 			 */
 			passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE);
+			
 		} else {
 			memcpy(pword, pass, passlen);
 		}
@@ -1375,6 +1411,12 @@ NTSTATUS cli_raw_tcon(struct cli_state *cli,
 {
 	char *p;
 
+	if (!lp_client_plaintext_auth() && (*pass)) {
+		DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'"
+			  " is disabled\n"));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	memset(cli->outbuf,'\0',smb_size);
 	memset(cli->inbuf,'\0',smb_size);
 
@@ -1439,7 +1481,7 @@ struct cli_state *get_ipc_connect(char *server, struct in_addr *server_ip,
 
 struct cli_state *get_ipc_connect_master_ip_bcast(pstring workgroup, struct user_auth_info *user_info)
 {
-	struct in_addr *ip_list;
+	struct ip_service *ip_list;
 	struct cli_state *cli;
 	int i, count;
 	struct in_addr server_ip; 
@@ -1453,7 +1495,7 @@ struct cli_state *get_ipc_connect_master_ip_bcast(pstring workgroup, struct user
 	for (i = 0; i < count; i++) {
 		static fstring name;
 
-		if (!name_status_find("*", 0, 0x1d, ip_list[i], name))
+		if (!name_status_find("*", 0, 0x1d, ip_list[i].ip, name))
 			continue;
 
                 if (!find_master_ip(name, &server_ip))
@@ -1462,7 +1504,7 @@ struct cli_state *get_ipc_connect_master_ip_bcast(pstring workgroup, struct user
                 pstrcpy(workgroup, name);
 
                 DEBUG(4, ("found master browser %s, %s\n", 
-                          name, inet_ntoa(ip_list[i])));
+                          name, inet_ntoa(ip_list[i].ip)));
 
 		cli = get_ipc_connect(inet_ntoa(server_ip), &server_ip, user_info);
author	Gerald Carter <jerry@samba.org>	2003-07-01 14:40:47 +0000
committer	Gerald Carter <jerry@samba.org>	2003-07-01 14:40:47 +0000
commit	4ef35ae91af666801bc5391e45372328cf1d47a1 (patch)
tree	3797a02991a429be1fd4e18de7434556d97e9000 /source/libsmb/cliconnect.c
parent	a3fdb5536c3938453b3b56c02bfaf8fab3913619 (diff)
download	samba-4ef35ae91af666801bc5391e45372328cf1d47a1.tar.gz