From e47d77832b70b539ce3e898da458227dd0b853b6 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 3 Jun 2010 11:18:11 -0700 Subject: [PATCH] Found by Guenther - fix up our fallback paths from krb5 to NTLMSSP when using SMB2. Jeremy. --- source3/smbd/smb2_sesssetup.c | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 88454c12227..757618ea2d2 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -553,15 +553,25 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session, } #endif - /* Fall back to NTLMSSP. */ - status = auth_ntlmssp_start(&session->auth_ntlmssp_state); - if (!NT_STATUS_IS_OK(status)) { - goto out; - } + if (kerb_mech) { + /* The mechtoken is a krb5 ticket, but + * we need to fall back to NTLM. */ - status = auth_ntlmssp_update(session->auth_ntlmssp_state, - secblob_in, - &chal_out); + DEBUG(3,("smb2: Got krb5 ticket in SPNEGO " + "but set to downgrade to NTLMSSP\n")); + + status = NT_STATUS_MORE_PROCESSING_REQUIRED; + } else { + /* Fall back to NTLMSSP. */ + status = auth_ntlmssp_start(&session->auth_ntlmssp_state); + if (!NT_STATUS_IS_OK(status)) { + goto out; + } + + status = auth_ntlmssp_update(session->auth_ntlmssp_state, + secblob_in, + &chal_out); + } if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, @@ -744,6 +754,17 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session, SAFE_FREE(kerb_mech); return NT_STATUS_LOGON_FAILURE; } + + data_blob_free(&secblob_in); + } + + if (session->auth_ntlmssp_state == NULL) { + status = auth_ntlmssp_start(&session->auth_ntlmssp_state); + if (!NT_STATUS_IS_OK(status)) { + data_blob_free(&auth); + TALLOC_FREE(session); + return status; + } } status = auth_ntlmssp_update(session->auth_ntlmssp_state, -- 2.11.4.GIT