CVE-2016-2114: s3:smbd: use the correct default values for "smb signing"
[samba.git] / source3 / smbd / smb2_negprot.c
1 /*
2    Unix SMB/CIFS implementation.
3    Core SMB2 server
4
5    Copyright (C) Stefan Metzmacher 2009
6
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../libcli/smb/smb_common.h"
25 #include "../libcli/smb/smb2_negotiate_context.h"
26 #include "../lib/tsocket/tsocket.h"
27 #include "../librpc/ndr/libndr.h"
28 #include "../libcli/smb/smb_signing.h"
29
30 extern fstring remote_proto;
31
32 /*
33  * this is the entry point if SMB2 is selected via
34  * the SMB negprot and the given dialect.
35  */
36 static void reply_smb20xx(struct smb_request *req, uint16_t dialect)
37 {
38         uint8_t *smb2_inpdu;
39         uint8_t *smb2_hdr;
40         uint8_t *smb2_body;
41         uint8_t *smb2_dyn;
42         size_t len = SMB2_HDR_BODY + 0x24 + 2;
43
44         smb2_inpdu = talloc_zero_array(talloc_tos(), uint8_t, len);
45         if (smb2_inpdu == NULL) {
46                 DEBUG(0, ("Could not push spnego blob\n"));
47                 reply_nterror(req, NT_STATUS_NO_MEMORY);
48                 return;
49         }
50         smb2_hdr = smb2_inpdu;
51         smb2_body = smb2_hdr + SMB2_HDR_BODY;
52         smb2_dyn = smb2_body + 0x24;
53
54         SIVAL(smb2_hdr, SMB2_HDR_PROTOCOL_ID,   SMB2_MAGIC);
55         SIVAL(smb2_hdr, SMB2_HDR_LENGTH,        SMB2_HDR_BODY);
56
57         SSVAL(smb2_body, 0x00, 0x0024); /* struct size */
58         SSVAL(smb2_body, 0x02, 0x0001); /* dialect count */
59
60         SSVAL(smb2_dyn,  0x00, dialect);
61
62         req->outbuf = NULL;
63
64         smbd_smb2_process_negprot(req->xconn, 0, smb2_inpdu, len);
65         return;
66 }
67
68 /*
69  * this is the entry point if SMB2 is selected via
70  * the SMB negprot and the "SMB 2.002" dialect.
71  */
72 void reply_smb2002(struct smb_request *req, uint16_t choice)
73 {
74         reply_smb20xx(req, SMB2_DIALECT_REVISION_202);
75 }
76
77 /*
78  * this is the entry point if SMB2 is selected via
79  * the SMB negprot and the "SMB 2.???" dialect.
80  */
81 void reply_smb20ff(struct smb_request *req, uint16_t choice)
82 {
83         struct smbXsrv_connection *xconn = req->xconn;
84         xconn->smb2.allow_2ff = true;
85         reply_smb20xx(req, SMB2_DIALECT_REVISION_2FF);
86 }
87
88 enum protocol_types smbd_smb2_protocol_dialect_match(const uint8_t *indyn,
89                                 const int dialect_count,
90                                 uint16_t *dialect)
91 {
92         struct {
93                 enum protocol_types proto;
94                 uint16_t dialect;
95         } pd[] = {
96                 { PROTOCOL_SMB3_11, SMB3_DIALECT_REVISION_311 },
97                 { PROTOCOL_SMB3_10, SMB3_DIALECT_REVISION_310 },
98                 { PROTOCOL_SMB3_02, SMB3_DIALECT_REVISION_302 },
99                 { PROTOCOL_SMB3_00, SMB3_DIALECT_REVISION_300 },
100                 { PROTOCOL_SMB2_24, SMB2_DIALECT_REVISION_224 },
101                 { PROTOCOL_SMB2_22, SMB2_DIALECT_REVISION_222 },
102                 { PROTOCOL_SMB2_10, SMB2_DIALECT_REVISION_210 },
103                 { PROTOCOL_SMB2_02, SMB2_DIALECT_REVISION_202 },
104         };
105         size_t i;
106
107         for (i = 0; i < ARRAY_SIZE(pd); i ++) {
108                 size_t c = 0;
109
110                 if (lp_server_max_protocol() < pd[i].proto) {
111                         continue;
112                 }
113                 if (lp_server_min_protocol() > pd[i].proto) {
114                         continue;
115                 }
116
117                 for (c = 0; c < dialect_count; c++) {
118                         *dialect = SVAL(indyn, c*2);
119                         if (*dialect == pd[i].dialect) {
120                                 return pd[i].proto;
121                         }
122                 }
123         }
124
125         return PROTOCOL_NONE;
126 }
127
128 NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
129 {
130         struct smbXsrv_connection *xconn = req->xconn;
131         NTSTATUS status;
132         const uint8_t *inbody;
133         const uint8_t *indyn = NULL;
134         DATA_BLOB outbody;
135         DATA_BLOB outdyn;
136         DATA_BLOB negprot_spnego_blob;
137         uint16_t security_offset;
138         DATA_BLOB security_buffer;
139         size_t expected_dyn_size = 0;
140         size_t c;
141         uint16_t security_mode;
142         uint16_t dialect_count;
143         uint16_t in_security_mode;
144         uint32_t in_capabilities;
145         DATA_BLOB in_guid_blob;
146         struct GUID in_guid;
147         struct smb2_negotiate_contexts in_c = { .num_contexts = 0, };
148         struct smb2_negotiate_context *in_preauth = NULL;
149         struct smb2_negotiate_context *in_cipher = NULL;
150         struct smb2_negotiate_contexts out_c = { .num_contexts = 0, };
151         DATA_BLOB out_negotiate_context_blob = data_blob_null;
152         uint32_t out_negotiate_context_offset = 0;
153         uint16_t out_negotiate_context_count = 0;
154         uint16_t dialect = 0;
155         uint32_t capabilities;
156         DATA_BLOB out_guid_blob;
157         struct GUID out_guid;
158         enum protocol_types protocol = PROTOCOL_NONE;
159         uint32_t max_limit;
160         uint32_t max_trans = lp_smb2_max_trans();
161         uint32_t max_read = lp_smb2_max_read();
162         uint32_t max_write = lp_smb2_max_write();
163         NTTIME now = timeval_to_nttime(&req->request_time);
164         bool signing_required = true;
165
166         status = smbd_smb2_request_verify_sizes(req, 0x24);
167         if (!NT_STATUS_IS_OK(status)) {
168                 return smbd_smb2_request_error(req, status);
169         }
170         inbody = SMBD_SMB2_IN_BODY_PTR(req);
171
172         dialect_count = SVAL(inbody, 0x02);
173
174         in_security_mode = SVAL(inbody, 0x04);
175         in_capabilities = IVAL(inbody, 0x08);
176         in_guid_blob = data_blob_const(inbody + 0x0C, 16);
177
178         if (dialect_count == 0) {
179                 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
180         }
181
182         status = GUID_from_ndr_blob(&in_guid_blob, &in_guid);
183         if (!NT_STATUS_IS_OK(status)) {
184                 return smbd_smb2_request_error(req, status);
185         }
186
187         expected_dyn_size = dialect_count * 2;
188         if (SMBD_SMB2_IN_DYN_LEN(req) < expected_dyn_size) {
189                 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
190         }
191         indyn = SMBD_SMB2_IN_DYN_PTR(req);
192
193         protocol = smbd_smb2_protocol_dialect_match(indyn,
194                                         dialect_count,
195                                         &dialect);
196
197         for (c=0; protocol == PROTOCOL_NONE && c < dialect_count; c++) {
198                 if (lp_server_max_protocol() < PROTOCOL_SMB2_10) {
199                         break;
200                 }
201
202                 dialect = SVAL(indyn, c*2);
203                 if (dialect == SMB2_DIALECT_REVISION_2FF) {
204                         if (xconn->smb2.allow_2ff) {
205                                 xconn->smb2.allow_2ff = false;
206                                 protocol = PROTOCOL_SMB2_10;
207                                 break;
208                         }
209                 }
210         }
211
212         if (protocol == PROTOCOL_NONE) {
213                 return smbd_smb2_request_error(req, NT_STATUS_NOT_SUPPORTED);
214         }
215
216         if (protocol >= PROTOCOL_SMB3_10) {
217                 uint32_t in_negotiate_context_offset = 0;
218                 uint16_t in_negotiate_context_count = 0;
219                 DATA_BLOB in_negotiate_context_blob = data_blob_null;
220                 size_t ofs;
221
222                 in_negotiate_context_offset = IVAL(inbody, 0x1C);
223                 in_negotiate_context_count = SVAL(inbody, 0x20);
224
225                 ofs = SMB2_HDR_BODY;
226                 ofs += SMBD_SMB2_IN_BODY_LEN(req);
227                 ofs += expected_dyn_size;
228                 if ((ofs % 8) != 0) {
229                         ofs += 8 - (ofs % 8);
230                 }
231
232                 if (in_negotiate_context_offset != ofs) {
233                         return smbd_smb2_request_error(req,
234                                         NT_STATUS_INVALID_PARAMETER);
235                 }
236
237                 ofs -= SMB2_HDR_BODY;
238                 ofs -= SMBD_SMB2_IN_BODY_LEN(req);
239
240                 if (SMBD_SMB2_IN_DYN_LEN(req) < ofs) {
241                         return smbd_smb2_request_error(req,
242                                         NT_STATUS_INVALID_PARAMETER);
243                 }
244
245                 in_negotiate_context_blob = data_blob_const(indyn,
246                                                 SMBD_SMB2_IN_DYN_LEN(req));
247
248                 in_negotiate_context_blob.data += ofs;
249                 in_negotiate_context_blob.length -= ofs;
250
251                 status = smb2_negotiate_context_parse(req,
252                                         in_negotiate_context_blob, &in_c);
253                 if (!NT_STATUS_IS_OK(status)) {
254                         return smbd_smb2_request_error(req, status);
255                 }
256
257                 if (in_negotiate_context_count != in_c.num_contexts) {
258                         return smbd_smb2_request_error(req,
259                                         NT_STATUS_INVALID_PARAMETER);
260                 }
261         }
262
263         switch (get_remote_arch()) {
264         case RA_VISTA:
265         case RA_SAMBA:
266         case RA_CIFSFS:
267         case RA_OSX:
268                 break;
269         default:
270                 set_remote_arch(RA_VISTA);
271                 break;
272         }
273
274         fstr_sprintf(remote_proto, "SMB%X_%02X",
275                      (dialect >> 8) & 0xFF, dialect & 0xFF);
276
277         reload_services(req->sconn, conn_snum_used, true);
278         DEBUG(3,("Selected protocol %s\n", remote_proto));
279
280         in_preauth = smb2_negotiate_context_find(&in_c,
281                                         SMB2_PREAUTH_INTEGRITY_CAPABILITIES);
282         if (protocol >= PROTOCOL_SMB3_10 && in_preauth == NULL) {
283                 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
284         }
285         in_cipher = smb2_negotiate_context_find(&in_c,
286                                         SMB2_ENCRYPTION_CAPABILITIES);
287
288         /* negprot_spnego() returns a the server guid in the first 16 bytes */
289         negprot_spnego_blob = negprot_spnego(req, xconn);
290         if (negprot_spnego_blob.data == NULL) {
291                 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
292         }
293
294         if (negprot_spnego_blob.length < 16) {
295                 return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
296         }
297
298         security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
299         /*
300          * We use xconn->smb1.signing_state as that's already present
301          * and used lpcfg_server_signing_allowed() to get the correct
302          * defaults, e.g. signing_required for an ad_dc.
303          */
304         signing_required = smb_signing_is_mandatory(xconn->smb1.signing_state);
305         if (signing_required) {
306                 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
307         }
308
309         capabilities = 0;
310         if (lp_host_msdfs()) {
311                 capabilities |= SMB2_CAP_DFS;
312         }
313
314         if (protocol >= PROTOCOL_SMB2_10 &&
315             lp_smb2_leases() &&
316             lp_oplocks(GLOBAL_SECTION_SNUM) &&
317             !lp_kernel_oplocks(GLOBAL_SECTION_SNUM))
318         {
319                 capabilities |= SMB2_CAP_LEASING;
320         }
321
322         if ((protocol >= PROTOCOL_SMB2_24) &&
323             (lp_smb_encrypt(-1) != SMB_SIGNING_OFF) &&
324             (in_capabilities & SMB2_CAP_ENCRYPTION)) {
325                 capabilities |= SMB2_CAP_ENCRYPTION;
326         }
327
328         /*
329          * 0x10000 (65536) is the maximum allowed message size
330          * for SMB 2.0
331          */
332         max_limit = 0x10000;
333
334         if (protocol >= PROTOCOL_SMB2_10) {
335                 int p = 0;
336
337                 if (tsocket_address_is_inet(req->sconn->local_address, "ip")) {
338                         p = tsocket_address_inet_port(req->sconn->local_address);
339                 }
340
341                 /* largeMTU is not supported over NBT (tcp port 139) */
342                 if (p != NBT_SMB_PORT) {
343                         capabilities |= SMB2_CAP_LARGE_MTU;
344                         xconn->smb2.credits.multicredit = true;
345
346                         /*
347                          * We allow up to almost 16MB.
348                          *
349                          * The maximum PDU size is 0xFFFFFF (16776960)
350                          * and we need some space for the header.
351                          */
352                         max_limit = 0xFFFF00;
353                 }
354         }
355
356         /*
357          * the defaults are 8MB, but we'll limit this to max_limit based on
358          * the dialect (64kb for SMB 2.0, 8MB for SMB >= 2.1 with LargeMTU)
359          *
360          * user configured values exceeding the limits will be overwritten,
361          * only smaller values will be accepted
362          */
363
364         max_trans = MIN(max_limit, lp_smb2_max_trans());
365         max_read = MIN(max_limit, lp_smb2_max_read());
366         max_write = MIN(max_limit, lp_smb2_max_write());
367
368         if (in_preauth != NULL) {
369                 size_t needed = 4;
370                 uint16_t hash_count;
371                 uint16_t salt_length;
372                 uint16_t selected_preauth = 0;
373                 const uint8_t *p;
374                 uint8_t buf[38];
375                 DATA_BLOB b;
376                 size_t i;
377
378                 if (in_preauth->data.length < needed) {
379                         return smbd_smb2_request_error(req,
380                                         NT_STATUS_INVALID_PARAMETER);
381                 }
382
383                 hash_count = SVAL(in_preauth->data.data, 0);
384                 salt_length = SVAL(in_preauth->data.data, 2);
385
386                 if (hash_count == 0) {
387                         return smbd_smb2_request_error(req,
388                                         NT_STATUS_INVALID_PARAMETER);
389                 }
390
391                 p = in_preauth->data.data + needed;
392                 needed += hash_count * 2;
393                 needed += salt_length;
394
395                 if (in_preauth->data.length < needed) {
396                         return smbd_smb2_request_error(req,
397                                         NT_STATUS_INVALID_PARAMETER);
398                 }
399
400                 for (i=0; i < hash_count; i++) {
401                         uint16_t v;
402
403                         v = SVAL(p, 0);
404                         p += 2;
405
406                         if (v == SMB2_PREAUTH_INTEGRITY_SHA512) {
407                                 selected_preauth = v;
408                                 break;
409                         }
410                 }
411
412                 if (selected_preauth == 0) {
413                         return smbd_smb2_request_error(req,
414                                 NT_STATUS_SMB_NO_PREAUTH_INTEGRITY_HASH_OVERLAP);
415                 }
416
417                 SSVAL(buf, 0,  1); /* HashAlgorithmCount */
418                 SSVAL(buf, 2, 32); /* SaltLength */
419                 SSVAL(buf, 4, selected_preauth);
420                 generate_random_buffer(buf + 6, 32);
421
422                 b = data_blob_const(buf, sizeof(buf));
423                 status = smb2_negotiate_context_add(req, &out_c,
424                                         SMB2_PREAUTH_INTEGRITY_CAPABILITIES, b);
425                 if (!NT_STATUS_IS_OK(status)) {
426                         return smbd_smb2_request_error(req, status);
427                 }
428
429                 req->preauth = &req->xconn->smb2.preauth;
430         }
431
432         if (in_cipher != NULL) {
433                 size_t needed = 2;
434                 uint16_t cipher_count;
435                 const uint8_t *p;
436                 uint8_t buf[4];
437                 DATA_BLOB b;
438                 size_t i;
439                 bool aes_128_ccm_supported = false;
440                 bool aes_128_gcm_supported = false;
441
442                 capabilities &= ~SMB2_CAP_ENCRYPTION;
443
444                 if (in_cipher->data.length < needed) {
445                         return smbd_smb2_request_error(req,
446                                         NT_STATUS_INVALID_PARAMETER);
447                 }
448
449                 cipher_count = SVAL(in_cipher->data.data, 0);
450
451                 if (cipher_count == 0) {
452                         return smbd_smb2_request_error(req,
453                                         NT_STATUS_INVALID_PARAMETER);
454                 }
455
456                 p = in_cipher->data.data + needed;
457                 needed += cipher_count * 2;
458
459                 if (in_cipher->data.length < needed) {
460                         return smbd_smb2_request_error(req,
461                                         NT_STATUS_INVALID_PARAMETER);
462                 }
463
464                 for (i=0; i < cipher_count; i++) {
465                         uint16_t v;
466
467                         v = SVAL(p, 0);
468                         p += 2;
469
470                         if (v == SMB2_ENCRYPTION_AES128_GCM) {
471                                 aes_128_gcm_supported = true;
472                         }
473                         if (v == SMB2_ENCRYPTION_AES128_CCM) {
474                                 aes_128_ccm_supported = true;
475                         }
476                 }
477
478                 /*
479                  * For now we preferr CCM because our implementation
480                  * is faster than GCM, see bug #11451.
481                  */
482                 if (aes_128_ccm_supported) {
483                         xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
484                 } else if (aes_128_gcm_supported) {
485                         xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_GCM;
486                 }
487
488                 SSVAL(buf, 0, 1); /* ChiperCount */
489                 SSVAL(buf, 2, xconn->smb2.server.cipher);
490
491                 b = data_blob_const(buf, sizeof(buf));
492                 status = smb2_negotiate_context_add(req, &out_c,
493                                         SMB2_ENCRYPTION_CAPABILITIES, b);
494                 if (!NT_STATUS_IS_OK(status)) {
495                         return smbd_smb2_request_error(req, status);
496                 }
497         }
498
499         if (capabilities & SMB2_CAP_ENCRYPTION) {
500                 xconn->smb2.server.cipher = SMB2_ENCRYPTION_AES128_CCM;
501         }
502
503         if (protocol >= PROTOCOL_SMB2_22 &&
504             xconn->client->server_multi_channel_enabled)
505         {
506                 if (in_capabilities & SMB2_CAP_MULTI_CHANNEL) {
507                         capabilities |= SMB2_CAP_MULTI_CHANNEL;
508                 }
509         }
510
511         security_offset = SMB2_HDR_BODY + 0x40;
512
513 #if 1
514         /* Try SPNEGO auth... */
515         security_buffer = data_blob_const(negprot_spnego_blob.data + 16,
516                                           negprot_spnego_blob.length - 16);
517 #else
518         /* for now we want raw NTLMSSP */
519         security_buffer = data_blob_const(NULL, 0);
520 #endif
521
522         if (out_c.num_contexts != 0) {
523                 status = smb2_negotiate_context_push(req,
524                                                 &out_negotiate_context_blob,
525                                                 out_c);
526                 if (!NT_STATUS_IS_OK(status)) {
527                         return smbd_smb2_request_error(req, status);
528                 }
529         }
530
531         if (out_negotiate_context_blob.length != 0) {
532                 static const uint8_t zeros[8];
533                 size_t pad = 0;
534                 size_t ofs;
535                 bool ok;
536
537                 outdyn = data_blob_dup_talloc(req, security_buffer);
538                 if (outdyn.length != security_buffer.length) {
539                         return smbd_smb2_request_error(req,
540                                                 NT_STATUS_NO_MEMORY);
541                 }
542
543                 ofs = security_offset + security_buffer.length;
544                 if ((ofs % 8) != 0) {
545                         pad = 8 - (ofs % 8);
546                 }
547                 ofs += pad;
548
549                 ok = data_blob_append(req, &outdyn, zeros, pad);
550                 if (!ok) {
551                         return smbd_smb2_request_error(req,
552                                                 NT_STATUS_NO_MEMORY);
553                 }
554
555                 ok = data_blob_append(req, &outdyn,
556                                       out_negotiate_context_blob.data,
557                                       out_negotiate_context_blob.length);
558                 if (!ok) {
559                         return smbd_smb2_request_error(req,
560                                                 NT_STATUS_NO_MEMORY);
561                 }
562
563                 out_negotiate_context_offset = ofs;
564                 out_negotiate_context_count = out_c.num_contexts;
565         } else {
566                 outdyn = security_buffer;
567         }
568
569         out_guid_blob = data_blob_const(negprot_spnego_blob.data, 16);
570         status = GUID_from_ndr_blob(&out_guid_blob, &out_guid);
571         if (!NT_STATUS_IS_OK(status)) {
572                 return smbd_smb2_request_error(req, status);
573         }
574
575         outbody = smbd_smb2_generate_outbody(req, 0x40);
576         if (outbody.data == NULL) {
577                 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
578         }
579
580         SSVAL(outbody.data, 0x00, 0x40 + 1);    /* struct size */
581         SSVAL(outbody.data, 0x02,
582               security_mode);                   /* security mode */
583         SSVAL(outbody.data, 0x04, dialect);     /* dialect revision */
584         SSVAL(outbody.data, 0x06,
585               out_negotiate_context_count);     /* reserved/NegotiateContextCount */
586         memcpy(outbody.data + 0x08,
587                out_guid_blob.data, 16); /* server guid */
588         SIVAL(outbody.data, 0x18,
589               capabilities);                    /* capabilities */
590         SIVAL(outbody.data, 0x1C, max_trans);   /* max transact size */
591         SIVAL(outbody.data, 0x20, max_read);    /* max read size */
592         SIVAL(outbody.data, 0x24, max_write);   /* max write size */
593         SBVAL(outbody.data, 0x28, now);         /* system time */
594         SBVAL(outbody.data, 0x30, 0);           /* server start time */
595         SSVAL(outbody.data, 0x38,
596               security_offset);                 /* security buffer offset */
597         SSVAL(outbody.data, 0x3A,
598               security_buffer.length);          /* security buffer length */
599         SIVAL(outbody.data, 0x3C,
600               out_negotiate_context_offset);    /* reserved/NegotiateContextOffset */
601
602         req->sconn->using_smb2 = true;
603
604         if (dialect != SMB2_DIALECT_REVISION_2FF) {
605                 struct smbXsrv_client_global0 *global0 = NULL;
606
607                 status = smbXsrv_connection_init_tables(xconn, protocol);
608                 if (!NT_STATUS_IS_OK(status)) {
609                         return smbd_smb2_request_error(req, status);
610                 }
611
612                 xconn->smb2.client.capabilities = in_capabilities;
613                 xconn->smb2.client.security_mode = in_security_mode;
614                 xconn->smb2.client.guid = in_guid;
615                 xconn->smb2.client.num_dialects = dialect_count;
616                 xconn->smb2.client.dialects = talloc_array(xconn,
617                                                            uint16_t,
618                                                            dialect_count);
619                 if (xconn->smb2.client.dialects == NULL) {
620                         return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
621                 }
622                 for (c=0; c < dialect_count; c++) {
623                         xconn->smb2.client.dialects[c] = SVAL(indyn, c*2);
624                 }
625
626                 xconn->smb2.server.capabilities = capabilities;
627                 xconn->smb2.server.security_mode = security_mode;
628                 xconn->smb2.server.guid = out_guid;
629                 xconn->smb2.server.dialect = dialect;
630                 xconn->smb2.server.max_trans = max_trans;
631                 xconn->smb2.server.max_read  = max_read;
632                 xconn->smb2.server.max_write = max_write;
633
634                 if (xconn->protocol < PROTOCOL_SMB2_10) {
635                         /*
636                          * SMB2_02 doesn't support client guids
637                          */
638                         return smbd_smb2_request_done(req, outbody, &outdyn);
639                 }
640
641                 if (!xconn->client->server_multi_channel_enabled) {
642                         /*
643                          * Only deal with the client guid database
644                          * if multi-channel is enabled.
645                          */
646                         return smbd_smb2_request_done(req, outbody, &outdyn);
647                 }
648
649                 if (xconn->smb2.client.guid_verified) {
650                         /*
651                          * The connection was passed from another
652                          * smbd process.
653                          */
654                         return smbd_smb2_request_done(req, outbody, &outdyn);
655                 }
656
657                 status = smb2srv_client_lookup_global(xconn->client,
658                                                 xconn->smb2.client.guid,
659                                                 req, &global0);
660                 /*
661                  * TODO: check for races...
662                  */
663                 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECTID_NOT_FOUND)) {
664                         /*
665                          * This stores the new client information in
666                          * smbXsrv_client_global.tdb
667                          */
668                         xconn->client->global->client_guid =
669                                                 xconn->smb2.client.guid;
670                         status = smbXsrv_client_update(xconn->client);
671                         if (!NT_STATUS_IS_OK(status)) {
672                                 return status;
673                         }
674
675                         xconn->smb2.client.guid_verified = true;
676                 } else if (NT_STATUS_IS_OK(status)) {
677                         status = smb2srv_client_connection_pass(req,
678                                                                 global0);
679                         if (!NT_STATUS_IS_OK(status)) {
680                                 return smbd_smb2_request_error(req, status);
681                         }
682
683                         smbd_server_connection_terminate(xconn,
684                                                          "passed connection");
685                         return NT_STATUS_OBJECTID_EXISTS;
686                 } else {
687                         return smbd_smb2_request_error(req, status);
688                 }
689         }
690
691         return smbd_smb2_request_done(req, outbody, &outdyn);
692 }