#include "../libcli/smb/smb_common.h"
#include "../libcli/auth/spnego.h"
#include "../libcli/auth/ntlmssp.h"
+#include "../auth/gensec/gensec.h"
#include "ntlmssp_wrap.h"
#include "../librpc/gen_ndr/krb5pac.h"
#include "libads/kerberos_proto.h"
struct passwd *pw = NULL;
NTSTATUS status;
char *real_username;
- fstring tmp;
bool username_was_mapped = false;
bool map_domainuser_to_guest = false;
session->compat_vuser->vuid = session->vuid;
DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
- /* This is a potentially untrusted username */
- alpha_strcpy(tmp, user, ". _-$", sizeof(tmp));
- session->session_info->unix_info->sanitized_username =
- talloc_strdup(session->session_info, tmp);
-
if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
session->compat_vuser->homes_snum =
register_homes_share(session->session_info->unix_info->unix_name);
status = NT_STATUS_MORE_PROCESSING_REQUIRED;
} else {
/* Fall back to NTLMSSP. */
- status = auth_ntlmssp_start(session->sconn->remote_address,
+ status = auth_ntlmssp_prepare(session->sconn->remote_address,
&session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
+ auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
+ status = auth_ntlmssp_start(session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
status = auth_ntlmssp_update(session->auth_ntlmssp_state,
+ talloc_tos(),
secblob_in,
&chal_out);
}
uint16_t *out_session_flags,
uint64_t *out_session_id)
{
- fstring tmp;
-
if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
lp_server_signing() == Required) {
session->do_signing = true;
session->compat_vuser->vuid = session->vuid;
DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
- /* This is a potentially untrusted username */
- alpha_strcpy(tmp,
- auth_ntlmssp_get_username(session->auth_ntlmssp_state),
- ". _-$",
- sizeof(tmp));
- session->session_info->unix_info->sanitized_username = talloc_strdup(
- session->session_info, tmp);
-
if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
session->compat_vuser->homes_snum =
register_homes_share(session->session_info->unix_info->unix_name);
}
if (session->auth_ntlmssp_state == NULL) {
- status = auth_ntlmssp_start(session->sconn->remote_address,
+ status = auth_ntlmssp_prepare(session->sconn->remote_address,
&session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
data_blob_free(&auth);
TALLOC_FREE(session);
return status;
}
+
+ auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+
+ status = auth_ntlmssp_start(session->auth_ntlmssp_state);
+ if (!NT_STATUS_IS_OK(status)) {
+ data_blob_free(&auth);
+ TALLOC_FREE(session);
+ return status;
+ }
}
status = auth_ntlmssp_update(session->auth_ntlmssp_state,
- auth,
+ talloc_tos(), auth,
&auth_out);
/* If status is NT_STATUS_OK then we need to get the token.
* Map to guest is now internal to auth_ntlmssp */
if (NT_STATUS_IS_OK(status)) {
- status = auth_ntlmssp_steal_session_info(session,
- session->auth_ntlmssp_state,
- &session->session_info);
+ status = auth_ntlmssp_session_info(session,
+ session->auth_ntlmssp_state,
+ &session->session_info);
}
if (!NT_STATUS_IS_OK(status) &&
uint64_t *out_session_id)
{
NTSTATUS status;
- DATA_BLOB secblob_out = data_blob_null;
if (session->auth_ntlmssp_state == NULL) {
- status = auth_ntlmssp_start(session->sconn->remote_address,
+ status = auth_ntlmssp_prepare(session->sconn->remote_address,
&session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return status;
}
- }
- /* RAW NTLMSSP */
- status = auth_ntlmssp_update(session->auth_ntlmssp_state,
- in_security_buffer,
- &secblob_out);
+ auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
- if (NT_STATUS_IS_OK(status) ||
- NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- *out_security_buffer = data_blob_talloc(smb2req,
- secblob_out.data,
- secblob_out.length);
- if (secblob_out.data && out_security_buffer->data == NULL) {
- TALLOC_FREE(session->auth_ntlmssp_state);
+ if (session->sconn->use_gensec_hook) {
+ status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_SPNEGO);
+ } else {
+ status = auth_ntlmssp_start(session->auth_ntlmssp_state);
+ }
+ if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
- return NT_STATUS_NO_MEMORY;
+ return status;
}
}
+ /* RAW NTLMSSP */
+ status = auth_ntlmssp_update(session->auth_ntlmssp_state,
+ smb2req,
+ in_security_buffer,
+ out_security_buffer);
+
if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
*out_session_id = session->vuid;
return status;
}
- status = auth_ntlmssp_steal_session_info(session,
- session->auth_ntlmssp_state,
- &session->session_info);
+ status = auth_ntlmssp_session_info(session,
+ session->auth_ntlmssp_state,
+ &session->session_info);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session->auth_ntlmssp_state);
return NT_STATUS_REQUEST_NOT_ACCEPTED;
}
- if (in_security_buffer.data[0] == ASN1_APPLICATION(0)) {
- return smbd_smb2_spnego_negotiate(session,
+ /* Handle either raw NTLMSSP or hand off the whole blob to
+ * GENSEC. The processing at this layer is essentially
+ * identical regardless. In particular, both rely only on the
+ * status code (not the contents of the packet) and do not
+ * wrap the result */
+ if (session->sconn->use_gensec_hook
+ || ntlmssp_blob_matches_magic(&in_security_buffer)) {
+ return smbd_smb2_raw_ntlmssp_auth(session,
smb2req,
in_security_mode,
in_security_buffer,
out_session_flags,
out_security_buffer,
out_session_id);
- } else if (in_security_buffer.data[0] == ASN1_CONTEXT(1)) {
- return smbd_smb2_spnego_auth(session,
+ } else if (in_security_buffer.data[0] == ASN1_APPLICATION(0)) {
+ return smbd_smb2_spnego_negotiate(session,
smb2req,
in_security_mode,
in_security_buffer,
out_session_flags,
out_security_buffer,
out_session_id);
- } else if (strncmp((char *)(in_security_buffer.data), "NTLMSSP", 7) == 0) {
- return smbd_smb2_raw_ntlmssp_auth(session,
+ } else if (in_security_buffer.data[0] == ASN1_CONTEXT(1)) {
+ return smbd_smb2_spnego_auth(session,
smb2req,
in_security_mode,
in_security_buffer,