s3:libsmb: use anonymous authentication via spnego if possible
authorStefan Metzmacher <metze@samba.org>
Tue, 19 Apr 2016 05:33:03 +0000 (07:33 +0200)
committerStefan Metzmacher <metze@samba.org>
Thu, 28 Apr 2016 14:51:16 +0000 (16:51 +0200)
This makes the authentication consistent between
SMB1 with CAP_EXTENDED_SECURITY (introduced in Windows 2000)
and SNB2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11841

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: G√ľnther Deschner <gd@samba.org>
source3/libsmb/cliconnect.c

index b984087e74883d314f6c1150c0539b35f3dd9e3c..ea92c8f092dc436cb9a23930029e714bc559cc6a 100644 (file)
@@ -1643,6 +1643,19 @@ static void cli_session_setup_gensec_ready(struct tevent_req *req)
                }
        }
 
+       if (state->is_anonymous) {
+               /*
+                * Windows server does not set the
+                * SMB2_SESSION_FLAG_IS_NULL flag.
+                *
+                * This fix makes sure we do not try
+                * to verify a signature on the final
+                * session setup response.
+                */
+               tevent_req_done(req);
+               return;
+       }
+
        status = gensec_session_key(state->auth_generic->gensec_security,
                                    state, &state->session_key);
        if (tevent_req_nterror(req, status)) {
@@ -1652,20 +1665,6 @@ static void cli_session_setup_gensec_ready(struct tevent_req *req)
        if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB2_02) {
                struct smbXcli_session *session = state->cli->smb2.session;
 
-               if (state->is_anonymous) {
-                       /*
-                        * Windows server does not set the
-                        * SMB2_SESSION_FLAG_IS_GUEST nor
-                        * SMB2_SESSION_FLAG_IS_NULL flag.
-                        *
-                        * This fix makes sure we do not try
-                        * to verify a signature on the final
-                        * session setup response.
-                        */
-                       tevent_req_done(req);
-                       return;
-               }
-
                status = smb2cli_session_set_session_key(session,
                                                         state->session_key,
                                                         state->recv_iov);
@@ -2095,6 +2094,21 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx,
                return req;
        }
 
+       /*
+        * if the server supports extended security then use SPNEGO
+        * even for anonymous connections.
+        */
+       if (smb1cli_conn_capabilities(cli->conn) & CAP_EXTENDED_SECURITY) {
+               subreq = cli_session_setup_spnego_send(
+                       state, ev, cli, user, pass, workgroup);
+               if (tevent_req_nomem(subreq, req)) {
+                       return tevent_req_post(req, ev);
+               }
+               tevent_req_set_callback(subreq, cli_session_setup_done_spnego,
+                                       req);
+               return req;
+       }
+
        /* if no user is supplied then we have to do an anonymous connection.
           passwords are ignored */
 
@@ -2143,18 +2157,7 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx,
                return req;
        }
 
-       /* if the server supports extended security then use SPNEGO */
-
-       if (smb1cli_conn_capabilities(cli->conn) & CAP_EXTENDED_SECURITY) {
-               subreq = cli_session_setup_spnego_send(
-                       state, ev, cli, user, pass, workgroup);
-               if (tevent_req_nomem(subreq, req)) {
-                       return tevent_req_post(req, ev);
-               }
-               tevent_req_set_callback(subreq, cli_session_setup_done_spnego,
-                                       req);
-               return req;
-       } else {
+       {
                /* otherwise do a NT1 style session setup */
                if (lp_client_ntlmv2_auth() && lp_client_use_spnego()) {
                        /*