git.samba.org / kai / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b13a9a8)
r2041: Fix NTLMSSP RPC sealing, client -> win2k3 server.
authorAndrew Bartlett <abartlet@samba.org>
Wed, 25 Aug 2004 02:25:20 +0000 (02:25 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 17:58:19 +0000 (12:58 -0500)
The bug (found by tridge) is that Win2k3 is being tighter about the
NTLMSSP flags.  If we don't negotiate sealing, we can't use it.

We now have a way to indicate to the GENSEC implementation mechanisms
what things we want for a connection.

Andrew Bartlett
(This used to be commit 86f61568ea44c5719f9b583beeeefb12e0c26f4c)

13 files changed:
source4/libcli/auth/gensec.c patch | blob | history
source4/libcli/auth/gensec.h patch | blob | history
source4/libcli/auth/gensec_ntlmssp.c patch | blob | history
source4/libcli/auth/ntlmssp.c patch | blob | history
source4/libcli/auth/ntlmssp_sign.c patch | blob | history
source4/libcli/raw/clisession.c patch | blob | history
source4/librpc/rpc/dcerpc.c patch | blob | history
source4/librpc/rpc/dcerpc_auth.c patch | blob | history
source4/librpc/rpc/dcerpc_ntlm.c patch | blob | history
source4/librpc/rpc/dcerpc_schannel.c patch | blob | history
source4/librpc/rpc/dcerpc_spnego.c patch | blob | history
source4/rpc_server/dcesrv_auth.c patch | blob | history
source4/smb_server/sesssetup.c patch | blob | history

diff --git a/source4/libcli/auth/gensec.c b/source4/libcli/auth/gensec.c
index 24c2c18877010799eb50d0d52f42e5de3138d482..818870155839528b737ce0d2c31c0867d98e2fc3 100644 (file)
--- a/source4/libcli/auth/gensec.c
+++ b/source4/libcli/auth/gensec.c
@@ -145,6 +145,7 @@ static NTSTATUS gensec_start(struct gensec_security **gensec_security)
        (*gensec_security)->default_user.realm = talloc_strdup(mem_ctx, lp_realm());
 
        (*gensec_security)->subcontext = False;
+       (*gensec_security)->want_features = 0;
        return NT_STATUS_OK;
 }
 
@@ -232,13 +233,20 @@ static NTSTATUS gensec_start_mech(struct gensec_security *gensec_security)
  */
 
 NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, 
-                                      uint8_t authtype
+                                      uint8_t auth_type, uint8_t auth_level
 {
-       gensec_security->ops = gensec_security_by_authtype(authtype);
+       gensec_security->ops = gensec_security_by_authtype(auth_type);
        if (!gensec_security->ops) {
-               DEBUG(3, ("Could not find GENSEC backend for authtype=%d\n", (int)authtype));
+               DEBUG(3, ("Could not find GENSEC backend for auth_type=%d\n", (int)auth_type));
                return NT_STATUS_INVALID_PARAMETER;
        }
+       if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+               gensec_want_feature(gensec_security, GENSEC_WANT_SIGN);
+       }
+       if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+               gensec_want_feature(gensec_security, GENSEC_WANT_SIGN);
+               gensec_want_feature(gensec_security, GENSEC_WANT_SEAL);
+       }
        return gensec_start_mech(gensec_security);
 }
 
@@ -308,6 +316,10 @@ NTSTATUS gensec_check_packet(struct gensec_security *gensec_security,
        if (!gensec_security->ops->check_packet) {
                return NT_STATUS_NOT_IMPLEMENTED;
        }
+       if (!(gensec_security->want_features & GENSEC_WANT_SIGN)) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+       
        return gensec_security->ops->check_packet(gensec_security, mem_ctx, data, length, sig);
 }
 
@@ -319,6 +331,10 @@ NTSTATUS gensec_seal_packet(struct gensec_security *gensec_security,
        if (!gensec_security->ops->seal_packet) {
                return NT_STATUS_NOT_IMPLEMENTED;
        }
+       if (!(gensec_security->want_features & GENSEC_WANT_SEAL)) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
        return gensec_security->ops->seal_packet(gensec_security, mem_ctx, data, length, sig);
 }
 
@@ -330,6 +346,10 @@ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
        if (!gensec_security->ops->sign_packet) {
                return NT_STATUS_NOT_IMPLEMENTED;
        }
+       if (!(gensec_security->want_features & GENSEC_WANT_SIGN)) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+       
        return gensec_security->ops->sign_packet(gensec_security, mem_ctx, data, length, sig);
 }
 
@@ -339,6 +359,10 @@ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
        if (!gensec_security->ops->session_key) {
                return NT_STATUS_NOT_IMPLEMENTED;
        }
+       if (!(gensec_security->want_features & GENSEC_WANT_SESSION_KEY)) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+       
        return gensec_security->ops->session_key(gensec_security, session_key);
 }
 
@@ -392,6 +416,17 @@ void gensec_end(struct gensec_security **gensec_security)
        gensec_security = NULL;
 }
 
+/** 
+ * Set the requirement for a certain feature on the connection
+ *
+ */
+
+void gensec_want_feature(struct gensec_security *gensec_security,
+                        uint32 feature) 
+{
+       gensec_security->want_features |= feature;
+}
+
 /** 
  * Set a username on a GENSEC context - ensures it is talloc()ed 
  *
diff --git a/source4/libcli/auth/gensec.h b/source4/libcli/auth/gensec.h
index 880ee45265ef565b2cf0a80e5f7ae57caf7a2bce..73a5f6b463dacdd7ce7a2d5cc9320cdc9ca8eddd 100644 (file)
--- a/source4/libcli/auth/gensec.h
+++ b/source4/libcli/auth/gensec.h
@@ -36,7 +36,10 @@ struct gensec_target {
        const struct sock_addr *addr;
        const char *service;
 };
-               
+
+#define GENSEC_WANT_SESSION_KEY 0x1
+#define GENSEC_WANT_SIGN 0x2
+#define GENSEC_WANT_SEAL 0x4
 
 /* GENSEC mode */
 enum gensec_role
@@ -86,6 +89,7 @@ struct gensec_security {
        struct gensec_target target;
        enum gensec_role gensec_role;
        BOOL subcontext;
+       uint32 want_features;
 };
 
 /* this structure is used by backends to determine the size of some critical types */
diff --git a/source4/libcli/auth/gensec_ntlmssp.c b/source4/libcli/auth/gensec_ntlmssp.c
index 99247fb6261367dfad651f79c6a7c1229afabfbb..ae03bc88e685857c9e99a78b5ffc8ef98bc1b3d0 100644 (file)
--- a/source4/libcli/auth/gensec_ntlmssp.c
+++ b/source4/libcli/auth/gensec_ntlmssp.c
@@ -179,6 +179,13 @@ static NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_secur
                return nt_status;
        }
 
+       if (gensec_security->want_features & GENSEC_WANT_SIGN) {
+               gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+       }
+       if (gensec_security->want_features & GENSEC_WANT_SEAL) {
+               gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
+       }
+
        ntlmssp_state = gensec_ntlmssp_state->ntlmssp_state;
        if (!NT_STATUS_IS_OK(nt_status = make_auth_context_subsystem(&gensec_ntlmssp_state->auth_context))) {
                return nt_status;
@@ -211,6 +218,25 @@ static NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_secur
                return status;
        }
 
+       if (gensec_security->want_features & GENSEC_WANT_SESSION_KEY) {
+               /*
+                * We need to set this to allow a later SetPassword
+                * via the SAMR pipe to succeed. Strange.... We could
+                * also add  NTLMSSP_NEGOTIATE_SEAL here. JRA.
+                * 
+                * Without this, Windows will not create the master key
+                * that it thinks is only used for NTLMSSP signing and 
+                * sealing.  (It is actually pulled out and used directly) 
+                */
+               gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+       }
+       if (gensec_security->want_features & GENSEC_WANT_SIGN) {
+               gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
+       }
+       if (gensec_security->want_features & GENSEC_WANT_SEAL) {
+               gensec_ntlmssp_state->ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
+       }
+
        status = ntlmssp_set_domain(gensec_ntlmssp_state->ntlmssp_state, 
                                    gensec_security->user.domain);
        if (!NT_STATUS_IS_OK(status)) {
diff --git a/source4/libcli/auth/ntlmssp.c b/source4/libcli/auth/ntlmssp.c
index 893e8520c2c298e9cce0cea9394fcdb0f2a02c8a..4d2dd6b5768232776aaf3a07c72a9a2776ba2434 100644 (file)
--- a/source4/libcli/auth/ntlmssp.c
+++ b/source4/libcli/auth/ntlmssp.c
@@ -375,6 +375,14 @@ static void ntlmssp_handle_neg_flags(struct ntlmssp_state *ntlmssp_state,
                ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
        }
 
+       if (!(neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+       }
+
+       if (!(neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
+               ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+       }
+
        if (!(neg_flags & NTLMSSP_NEGOTIATE_NTLM2)) {
                ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
        }
@@ -933,9 +941,7 @@ NTSTATUS ntlmssp_server_start(struct ntlmssp_state **ntlmssp_state)
                NTLMSSP_NEGOTIATE_128 |
                NTLMSSP_NEGOTIATE_NTLM |
 /*             NTLMSSP_NEGOTIATE_NTLM2 | */
-               NTLMSSP_NEGOTIATE_KEY_EXCH |
-               NTLMSSP_NEGOTIATE_SIGN |
-               NTLMSSP_NEGOTIATE_SEAL;
+               NTLMSSP_NEGOTIATE_KEY_EXCH;
 
        return NT_STATUS_OK;
 }
@@ -1289,16 +1295,6 @@ NTSTATUS ntlmssp_client_start(struct ntlmssp_state **ntlmssp_state)
                NTLMSSP_NEGOTIATE_NTLM |
 /*             NTLMSSP_NEGOTIATE_NTLM2 |*/
                NTLMSSP_NEGOTIATE_KEY_EXCH |
-               /*
-                * We need to set this to allow a later SetPassword
-                * via the SAMR pipe to succeed. Strange.... We could
-                * also add  NTLMSSP_NEGOTIATE_SEAL here. JRA.
-                * 
-                * Without this, Windows will not create the master key
-                * that it thinks is only used for NTLMSSP signing and 
-                * sealing.  (It is actually pulled out and used directly) 
-                */
-               NTLMSSP_NEGOTIATE_SIGN |
                NTLMSSP_REQUEST_TARGET;
 
        return NT_STATUS_OK;
diff --git a/source4/libcli/auth/ntlmssp_sign.c b/source4/libcli/auth/ntlmssp_sign.c
index 80ce1cccc06457dc45ccac63ead981e5e0d06ea5..6c770b87b90e83d240f6af944d3eec2373b1ae21 100644 (file)
--- a/source4/libcli/auth/ntlmssp_sign.c
+++ b/source4/libcli/auth/ntlmssp_sign.c
@@ -178,6 +178,11 @@ NTSTATUS ntlmssp_sign_packet(struct ntlmssp_state *ntlmssp_state,
                return NT_STATUS_NO_USER_SESSION_KEY;
        }
 
+       if (!ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+               DEBUG(3, ("NTLMSSP Signing not negotiated - cannot sign packet!\n"));
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
        nt_status = ntlmssp_make_packet_signature(ntlmssp_state, sig_mem_ctx, 
                                                  data, length, NTLMSSP_SEND, sig);
 
@@ -268,6 +273,11 @@ NTSTATUS ntlmssp_seal_packet(struct ntlmssp_state *ntlmssp_state,
                return NT_STATUS_NO_USER_SESSION_KEY;
        }
 
+       if (!ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+               DEBUG(3, ("NTLMSSP Sealing not negotiated - cannot seal packet!\n"));
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
        DEBUG(10,("ntlmssp_seal_data: seal\n"));
        dump_data_pw("ntlmssp clear data\n", data, length);
        if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
diff --git a/source4/libcli/raw/clisession.c b/source4/libcli/raw/clisession.c
index af8a63328cef0c959fe3166a49400d5e09f1f0ed..32be6b68ed657251c5805817927a30a684695491 100644 (file)
--- a/source4/libcli/raw/clisession.c
+++ b/source4/libcli/raw/clisession.c
@@ -399,6 +399,8 @@ static NTSTATUS smb_raw_session_setup_generic_spnego(struct smbcli_session *sess
                goto done;
        }
 
+       gensec_want_feature(session->gensec, GENSEC_WANT_SESSION_KEY);
+
        status = gensec_set_domain(session->gensec, parms->generic.in.domain);
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n", 
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 31db6df73829ae40a58132466d035e854ec07cf4..b605b4d110ec743fbd86dc721e89c84ccf6bbc6c 100644 (file)
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -942,3 +942,21 @@ const char *dcerpc_server_name(struct dcerpc_pipe *p)
        }
        return p->transport.peer_name(p);
 }
+
+/*
+  a useful function to get the auth_level 
+*/
+
+uint32 dcerpc_auth_level(struct dcerpc_pipe *p) 
+{
+       uint8_t auth_level;
+
+       if (p->flags & DCERPC_SEAL) {
+               auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
+       } else if (p->flags & DCERPC_SIGN) {
+               auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
+       } else {
+               auth_level = DCERPC_AUTH_LEVEL_NONE;
+       }
+       return auth_level;
+}
diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index 43b2212d60d2de4163b4422f446a8be445d2c489..6ae6a80596ad9715c72bfd07a6785f8a379c0ad5 100644 (file)
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -44,7 +44,7 @@ NTSTATUS dcerpc_bind_auth_none(struct dcerpc_pipe *p,
        return status;
 }
 
-NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type,
+NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level,
                          const char *uuid, uint_t version)
 {
        NTSTATUS status;
@@ -63,7 +63,7 @@ NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type,
                        return status;
                }
 
-               status = gensec_start_mech_by_authtype(p->security_state.generic_state, auth_type);
+               status = gensec_start_mech_by_authtype(p->security_state.generic_state, auth_type, auth_level);
 
                if (!NT_STATUS_IS_OK(status)) {
                        return status;
@@ -77,19 +77,12 @@ NTSTATUS dcerpc_bind_auth3(struct dcerpc_pipe *p, uint8_t auth_type,
        }
 
        p->security_state.auth_info->auth_type = auth_type;
+       p->security_state.auth_info->auth_level = auth_level;
        p->security_state.auth_info->auth_pad_length = 0;
        p->security_state.auth_info->auth_reserved = 0;
        p->security_state.auth_info->auth_context_id = random();
        p->security_state.auth_info->credentials = null_data_blob;
 
-       if (p->flags & DCERPC_SEAL) {
-               p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
-       } else if (p->flags & DCERPC_SIGN) {
-               p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
-       } else {
-               p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_NONE;
-       }
-
        status = gensec_update(p->security_state.generic_state, mem_ctx,
                               null_data_blob,
                               &credentials);
@@ -126,7 +119,7 @@ done:
        return status;
 }
 
-NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type,
+NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth_level,
                          const char *uuid, uint_t version)
 {
        NTSTATUS status;
@@ -145,7 +138,8 @@ NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type,
                        return status;
                }
 
-               status = gensec_start_mech_by_authtype(p->security_state.generic_state, auth_type);
+               status = gensec_start_mech_by_authtype(p->security_state.generic_state, 
+                                                      auth_type, auth_level);
 
                if (!NT_STATUS_IS_OK(status)) {
                        return status;
@@ -159,19 +153,12 @@ NTSTATUS dcerpc_bind_alter(struct dcerpc_pipe *p, uint8_t auth_type,
        }
 
        p->security_state.auth_info->auth_type = auth_type;
+       p->security_state.auth_info->auth_level = auth_level;
        p->security_state.auth_info->auth_pad_length = 0;
        p->security_state.auth_info->auth_reserved = 0;
        p->security_state.auth_info->auth_context_id = random();
        p->security_state.auth_info->credentials = null_data_blob;
 
-       if (p->flags & DCERPC_SEAL) {
-               p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
-       } else if (p->flags & DCERPC_SIGN) {
-               p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
-       } else {
-               p->security_state.auth_info->auth_level = DCERPC_AUTH_LEVEL_NONE;
-       }
-
        status = gensec_update(p->security_state.generic_state, mem_ctx,
                               null_data_blob,
                               &credentials);
diff --git a/source4/librpc/rpc/dcerpc_ntlm.c b/source4/librpc/rpc/dcerpc_ntlm.c
index 1f8dbc993e55c8b8a9950d1852d811fe94dec360..eab80a333bc8c3f79e15e25a6a25ddf560c6ecaa 100644 (file)
--- a/source4/librpc/rpc/dcerpc_ntlm.c
+++ b/source4/librpc/rpc/dcerpc_ntlm.c
@@ -60,7 +60,7 @@ NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p,
                return status;
        }
 
-       status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_NTLMSSP);
+       status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_NTLMSSP, dcerpc_auth_level(p));
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("Failed to start set GENSEC client NTLMSSP mechanism: %s\n",
                          nt_errstr(status)));
@@ -68,7 +68,8 @@ NTSTATUS dcerpc_bind_auth_ntlm(struct dcerpc_pipe *p,
        }
        
        status = dcerpc_bind_auth3(p, DCERPC_AUTH_TYPE_NTLMSSP,
-                                 uuid, version);
+                                  dcerpc_auth_level(p),
+                                  uuid, version);
 
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(2, ("Failed to bind to pipe with NTLMSSP: %s\n", nt_errstr(status)));
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index b3d7048501adbed275ed4e2d126b7d734d003219..e7b1d0898864f15acef7f5a29dd5d2fd0a8fd39d 100644 (file)
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -469,7 +469,7 @@ NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
                return status;
        }
        
-       status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_SCHANNEL);
+       status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_SCHANNEL, dcerpc_auth_level(p));
 
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("Failed to start SCHANNEL GENSEC backend: %s\n", nt_errstr(status)));
@@ -477,7 +477,7 @@ NTSTATUS dcerpc_bind_auth_schannel(struct dcerpc_pipe *p,
                return status;
        }
 
-       status = dcerpc_bind_auth3(p, DCERPC_AUTH_TYPE_SCHANNEL,
+       status = dcerpc_bind_auth3(p, DCERPC_AUTH_TYPE_SCHANNEL, dcerpc_auth_level(p),
                                  uuid, version);
 
        if (!NT_STATUS_IS_OK(status)) {
diff --git a/source4/librpc/rpc/dcerpc_spnego.c b/source4/librpc/rpc/dcerpc_spnego.c
index 7ccc0cf422425f927ac3d6f2d4d0c53f6ea3e558..f5e2be0da45f9c16e504da4bf09e6c3d3b7f2b93 100644 (file)
--- a/source4/librpc/rpc/dcerpc_spnego.c
+++ b/source4/librpc/rpc/dcerpc_spnego.c
@@ -67,14 +67,14 @@ NTSTATUS dcerpc_bind_auth_spnego(struct dcerpc_pipe *p,
                return status;
        }
 
-       status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_SPNEGO);
+       status = gensec_start_mech_by_authtype(p->security_state.generic_state, DCERPC_AUTH_TYPE_SPNEGO, dcerpc_auth_level(p));
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("Failed to start set GENSEC client SPNEGO mechanism: %s\n",
                          nt_errstr(status)));
                return status;
        }
        
-       status = dcerpc_bind_alter(p, DCERPC_AUTH_TYPE_SPNEGO,
+       status = dcerpc_bind_alter(p, DCERPC_AUTH_TYPE_SPNEGO, dcerpc_auth_level(p),
                                  uuid, version);
 
        if (!NT_STATUS_IS_OK(status)) {
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 84a5460d6887b55ab4da711ebc3e8878582cd997..85c7916df760d3b3d54e2b811032767691d1827b 100644 (file)
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -53,7 +53,8 @@ NTSTATUS dcesrv_crypto_select_type(struct dcesrv_connection *dce_conn,
                return status;
        }
 
-       status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type);
+       status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type, 
+                                              auth->auth_info->auth_level);
 
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("Failed to start GENSEC mech-specific server code (%d): %s\n", 
diff --git a/source4/smb_server/sesssetup.c b/source4/smb_server/sesssetup.c
index a87db0ecc4aa8208f8667d9fde16c6777ce32f44..1c336864073bb777786d97a97cebe35a2afd2baa 100644 (file)
--- a/source4/smb_server/sesssetup.c
+++ b/source4/smb_server/sesssetup.c
@@ -213,6 +213,8 @@ static NTSTATUS sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup
                        return status;
                }
 
+               gensec_want_feature(gensec_ctx, GENSEC_WANT_SESSION_KEY);
+
                status = gensec_start_mech_by_oid(gensec_ctx, OID_SPNEGO);
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(1, ("Failed to start GENSEC SPNEGO server code: %s\n", nt_errstr(status)));
Kai's WIP code