{-1,NULL}
};
+/**
+ * Set the user session key for a connection
+ * @param cli The cli structure to add it too
+ * @param session_key The session key used. (A copy of this is taken for the cli struct)
+ *
+ */
+
+static void cli_set_session_key (struct cli_state *cli, const DATA_BLOB session_key)
+{
+ cli->user_session_key = data_blob(session_key.data, session_key.length);
+}
+
/****************************************************************************
Do an old lanman2 style session setup.
****************************************************************************/
static BOOL cli_session_setup_lanman2(struct cli_state *cli, const char *user,
const char *pass, size_t passlen, const char *workgroup)
{
+ DATA_BLOB session_key = data_blob(NULL, 0);
+ DATA_BLOB lm_response = data_blob(NULL, 0);
fstring pword;
char *p;
if (passlen > sizeof(pword)-1)
return False;
+ /* LANMAN servers predate NT status codes and Unicode and ignore those
+ smb flags so we must disable the corresponding default capabilities
+ that would otherwise cause the Unicode and NT Status flags to be
+ set (and even returned by the server) */
+
+ cli->capabilities &= ~(CAP_UNICODE | CAP_STATUS32);
+
/* if in share level security then don't send a password now */
if (!(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL))
passlen = 0;
if (passlen > 0 && (cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && passlen != 24) {
/* Encrypted mode needed, and non encrypted password supplied. */
- passlen = 24;
- SMBencrypt(pass,cli->secblob.data,(uchar *)pword);
+ lm_response = data_blob(NULL, 24);
+ if (!SMBencrypt(pass, cli->secblob.data,(uchar *)lm_response.data)) {
+ DEBUG(1, ("Password is > 14 chars in length, and is therefore incompatible with Lanman authentication\n"));
+ return False;
+ }
} else if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && passlen == 24) {
/* Encrypted mode needed, and encrypted password supplied. */
- memcpy(pword, pass, passlen);
+ lm_response = data_blob(pass, passlen);
} else if (passlen > 0) {
/* Plaintext mode needed, assume plaintext supplied. */
- passlen = clistr_push(cli, pword, pass, -1, STR_TERMINATE);
+ passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE);
+ lm_response = data_blob(pass, passlen);
}
/* send a session setup command */
SSVAL(cli->outbuf,smb_vwv3,2);
SSVAL(cli->outbuf,smb_vwv4,1);
SIVAL(cli->outbuf,smb_vwv5,cli->sesskey);
- SSVAL(cli->outbuf,smb_vwv7,passlen);
+ SSVAL(cli->outbuf,smb_vwv7,lm_response.length);
p = smb_buf(cli->outbuf);
- memcpy(p,pword,passlen);
- p += passlen;
+ memcpy(p,lm_response.data,lm_response.length);
+ p += lm_response.length;
p += clistr_push(cli, p, user, -1, STR_TERMINATE|STR_UPPER);
p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE|STR_UPPER);
p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE);
cli->vuid = SVAL(cli->inbuf,smb_uid);
fstrcpy(cli->user_name, user);
+ if (session_key.data) {
+ /* Have plaintext orginal */
+ cli_set_session_key(cli, session_key);
+ }
+
return True;
}
if (cli->use_level_II_oplocks)
capabilities |= CAP_LEVEL_II_OPLOCKS;
- if (cli->capabilities & CAP_UNICODE)
- capabilities |= CAP_UNICODE;
-
- if (cli->capabilities & CAP_LARGE_FILES)
- capabilities |= CAP_LARGE_FILES;
-
+ capabilities |= (cli->capabilities & (CAP_UNICODE|CAP_LARGE_FILES|CAP_LARGE_READX|CAP_LARGE_WRITEX|CAP_DFS));
return capabilities;
}
{
uint32 capabilities = cli_session_setup_capabilities(cli);
char *p;
+ fstring lanman;
+
+ fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING);
set_message(cli->outbuf,13,0,True);
SCVAL(cli->outbuf,smb_com,SMBsesssetupX);
SSVAL(cli->outbuf,smb_vwv8,0);
SIVAL(cli->outbuf,smb_vwv11,capabilities);
p = smb_buf(cli->outbuf);
- p += clistr_push(cli, p, pass, -1, STR_TERMINATE); /* password */
- SSVAL(cli->outbuf,smb_vwv7,PTR_DIFF(p, smb_buf(cli->outbuf)));
+
+ /* check wether to send the ASCII or UNICODE version of the password */
+
+ if ( (capabilities & CAP_UNICODE) == 0 ) {
+ p += clistr_push(cli, p, pass, -1, STR_TERMINATE); /* password */
+ SSVAL(cli->outbuf,smb_vwv7,PTR_DIFF(p, smb_buf(cli->outbuf)));
+ }
+ else {
+ p += clistr_push(cli, p, pass, -1, STR_UNICODE|STR_TERMINATE); /* unicode password */
+ SSVAL(cli->outbuf,smb_vwv8,PTR_DIFF(p, smb_buf(cli->outbuf)));
+ }
+
p += clistr_push(cli, p, user, -1, STR_TERMINATE); /* username */
p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE); /* workgroup */
p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE);
- p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE);
+ p += clistr_push(cli, p, lanman, -1, STR_TERMINATE);
cli_setup_bcc(cli, p);
cli_send_smb(cli);
return True;
}
-static void set_signing_on_cli (struct cli_state *cli, uint8 user_session_key[16], DATA_BLOB response)
-{
- uint8 zero_sig[8];
- ZERO_STRUCT(zero_sig);
-
- DEBUG(5, ("Server returned security sig:\n"));
- dump_data(5, &cli->inbuf[smb_ss_field], 8);
-
- if (cli->sign_info.use_smb_signing) {
- DEBUG(5, ("smb signing already active on connection\n"));
- } else if (memcmp(&cli->inbuf[smb_ss_field], zero_sig, 8) != 0) {
-
- DEBUG(3, ("smb signing enabled!\n"));
- cli->sign_info.use_smb_signing = True;
- cli_calculate_mac_key(cli, user_session_key, response);
- } else {
- DEBUG(5, ("smb signing NOT enabled!\n"));
- }
-}
-
-static void set_cli_session_key (struct cli_state *cli, DATA_BLOB session_key)
-{
- memcpy(cli->user_session_key, session_key.data, MIN(session_key.length, sizeof(cli->user_session_key)));
-}
-
-
-static void set_temp_signing_on_cli(struct cli_state *cli)
-{
- if (cli->sign_info.negotiated_smb_signing)
- cli->sign_info.temp_smb_signing = True;
-}
-
-
/****************************************************************************
- do a NT1 NTLM/LM encrypted session setup
+ do a NT1 NTLM/LM encrypted session setup - for when extended security
+ is not negotiated.
@param cli client state to create do session setup on
@param user username
@param pass *either* cleartext password (passlen !=24) or LM response.
BOOL ret = False;
char *p;
- if (passlen != 24) {
+ if (passlen == 0) {
+ /* do nothing - guest login */
+ } else if (passlen != 24) {
if (lp_client_ntlmv2_auth()) {
DATA_BLOB server_chal;
-
+ DATA_BLOB names_blob;
server_chal = data_blob(cli->secblob.data, MIN(cli->secblob.length, 8));
- if (!SMBNTLMv2encrypt(user, workgroup, pass, server_chal,
+ /* note that the 'workgroup' here is a best guess - we don't know
+ the server's domain at this point. The 'server name' is also
+ dodgy...
+ */
+ names_blob = NTLMv2_generate_names_blob(cli->called.name, workgroup);
+
+ if (!SMBNTLMv2encrypt(user, workgroup, pass, &server_chal,
+ &names_blob,
&lm_response, &nt_response, &session_key)) {
+ data_blob_free(&names_blob);
data_blob_free(&server_chal);
return False;
}
+ data_blob_free(&names_blob);
data_blob_free(&server_chal);
} else {
uchar nt_hash[16];
E_md4hash(pass, nt_hash);
+#ifdef LANMAN_ONLY
+ nt_response = data_blob(NULL, 0);
+#else
+ nt_response = data_blob(NULL, 24);
+ SMBNTencrypt(pass,cli->secblob.data,nt_response.data);
+#endif
/* non encrypted password supplied. Ignore ntpass. */
if (lp_client_lanman_auth()) {
lm_response = data_blob(NULL, 24);
- SMBencrypt(pass,cli->secblob.data,lm_response.data);
+ if (!SMBencrypt(pass,cli->secblob.data, lm_response.data)) {
+ /* Oops, the LM response is invalid, just put
+ the NT response there instead */
+ data_blob_free(&lm_response);
+ lm_response = data_blob(nt_response.data, nt_response.length);
+ }
+ } else {
+ /* LM disabled, place NT# in LM field instead */
+ lm_response = data_blob(nt_response.data, nt_response.length);
}
- nt_response = data_blob(NULL, 24);
- SMBNTencrypt(pass,cli->secblob.data,nt_response.data);
session_key = data_blob(NULL, 16);
+#ifdef LANMAN_ONLY
+ E_deshash(pass, session_key.data);
+ memset(&session_key.data[8], '\0', 8);
+#else
SMBsesskeygen_ntv1(nt_hash, NULL, session_key.data);
+#endif
}
-
- set_temp_signing_on_cli(cli);
+#ifdef LANMAN_ONLY
+ cli_simple_set_signing(cli, session_key, lm_response);
+#else
+ cli_simple_set_signing(cli, session_key, nt_response);
+#endif
} else {
/* pre-encrypted password supplied. Only used for
security=server, can't do
- signing becouse we don't have oringial key */
+ signing because we don't have original key */
lm_response = data_blob(pass, passlen);
nt_response = data_blob(ntpass, ntpasslen);
memcpy(p,nt_response.data, nt_response.length); p += nt_response.length;
}
p += clistr_push(cli, p, user, -1, STR_TERMINATE);
- p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE);
+
+ /* Upper case here might help some NTLMv2 implementations */
+ p += clistr_push(cli, p, workgroup, -1, STR_TERMINATE|STR_UPPER);
p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE);
p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE);
cli_setup_bcc(cli, p);
goto end;
}
- show_msg(cli->inbuf);
+ /* show_msg(cli->inbuf); */
if (cli_is_error(cli)) {
ret = False;
if (session_key.data) {
/* Have plaintext orginal */
- set_cli_session_key(cli, session_key);
- set_signing_on_cli(cli, session_key.data, nt_response);
+ cli_set_session_key(cli, session_key);
}
+ ret = True;
end:
data_blob_free(&lm_response);
data_blob_free(&nt_response);
data_blob_free(&session_key);
- return True;
+ return ret;
}
/****************************************************************************
- Send a extended security session setup blob, returning a reply blob.
+ Send a extended security session setup blob
****************************************************************************/
-static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
+static BOOL cli_session_setup_blob_send(struct cli_state *cli, DATA_BLOB blob)
{
uint32 capabilities = cli_session_setup_capabilities(cli);
char *p;
- DATA_BLOB blob2 = data_blob(NULL, 0);
- uint32 len;
capabilities |= CAP_EXTENDED_SECURITY;
set_message(cli->outbuf,12,0,True);
SCVAL(cli->outbuf,smb_com,SMBsesssetupX);
- set_temp_signing_on_cli(cli);
-
cli_setup_packet(cli);
SCVAL(cli->outbuf,smb_vwv0,0xFF);
p += clistr_push(cli, p, "Unix", -1, STR_TERMINATE);
p += clistr_push(cli, p, "Samba", -1, STR_TERMINATE);
cli_setup_bcc(cli, p);
- cli_send_smb(cli);
+ return cli_send_smb(cli);
+}
+
+/****************************************************************************
+ Send a extended security session setup blob, returning a reply blob.
+****************************************************************************/
+
+static DATA_BLOB cli_session_setup_blob_receive(struct cli_state *cli)
+{
+ DATA_BLOB blob2 = data_blob(NULL, 0);
+ char *p;
+ size_t len;
if (!cli_receive_smb(cli))
return blob2;
}
#ifdef HAVE_KRB5
+
+/****************************************************************************
+ Send a extended security session setup blob, returning a reply blob.
+****************************************************************************/
+
+static DATA_BLOB cli_session_setup_blob(struct cli_state *cli, DATA_BLOB blob)
+{
+ DATA_BLOB blob2 = data_blob(NULL, 0);
+ if (!cli_session_setup_blob_send(cli, blob)) {
+ return blob2;
+ }
+
+ return cli_session_setup_blob_receive(cli);
+}
+
/****************************************************************************
Use in-memory credentials cache
****************************************************************************/
+
static void use_in_memory_ccache(void) {
setenv(KRB5_ENV_CCNAME, "MEMORY:cliconnect", 1);
}
Do a spnego/kerberos encrypted session setup.
****************************************************************************/
-static BOOL cli_session_setup_kerberos(struct cli_state *cli, const char *principal, const char *workgroup)
+static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char *principal, const char *workgroup)
{
DATA_BLOB blob2, negTokenTarg;
+ DATA_BLOB session_key_krb5;
+ DATA_BLOB null_blob = data_blob(NULL, 0);
+ int rc;
DEBUG(2,("Doing kerberos session setup\n"));
/* generate the encapsulated kerberos5 ticket */
- negTokenTarg = spnego_gen_negTokenTarg(principal, 0);
+ rc = spnego_gen_negTokenTarg(principal, 0, &negTokenTarg, &session_key_krb5);
- if (!negTokenTarg.data) return False;
+ if (rc) {
+ DEBUG(1, ("spnego_gen_negTokenTarg failed: %s\n", error_message(rc)));
+ return ADS_ERROR_KRB5(rc);
+ }
#if 0
file_save("negTokenTarg.dat", negTokenTarg.data, negTokenTarg.length);
#endif
+ cli_simple_set_signing(cli, session_key_krb5, null_blob);
+
blob2 = cli_session_setup_blob(cli, negTokenTarg);
/* we don't need this blob for kerberos */
data_blob_free(&blob2);
+ cli_set_session_key(cli, session_key_krb5);
+
data_blob_free(&negTokenTarg);
+ data_blob_free(&session_key_krb5);
- return !cli_is_error(cli);
+ if (cli_is_error(cli)) {
+ if (NT_STATUS_IS_OK(cli_nt_error(cli))) {
+ return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ }
+ }
+ return ADS_ERROR_NT(cli_nt_error(cli));
}
-#endif
+#endif /* HAVE_KRB5 */
+
/****************************************************************************
Do a spnego/NTLMSSP encrypted session setup.
****************************************************************************/
-static BOOL cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
- const char *pass, const char *workgroup)
+static NTSTATUS cli_session_setup_ntlmssp(struct cli_state *cli, const char *user,
+ const char *pass, const char *domain)
{
- struct ntlmssp_client_state *ntlmssp_state;
+ struct ntlmssp_state *ntlmssp_state;
NTSTATUS nt_status;
int turn = 1;
DATA_BLOB msg1;
- DATA_BLOB blob;
+ DATA_BLOB blob = data_blob(NULL, 0);
DATA_BLOB blob_in = data_blob(NULL, 0);
- DATA_BLOB blob_out;
+ DATA_BLOB blob_out = data_blob(NULL, 0);
+
+ cli_temp_set_signing(cli);
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_client_start(&ntlmssp_state))) {
- return False;
+ return nt_status;
}
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_username(ntlmssp_state, user))) {
- return False;
+ return nt_status;
}
- if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, workgroup))) {
- return False;
+ if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_domain(ntlmssp_state, domain))) {
+ return nt_status;
}
if (!NT_STATUS_IS_OK(nt_status = ntlmssp_set_password(ntlmssp_state, pass))) {
- return False;
+ return nt_status;
}
- ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth();
-
do {
- nt_status = ntlmssp_client_update(ntlmssp_state,
+ nt_status = ntlmssp_update(ntlmssp_state,
blob_in, &blob_out);
data_blob_free(&blob_in);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
}
/* now send that blob on its way */
- blob = cli_session_setup_blob(cli, msg1);
- data_blob_free(&msg1);
- nt_status = cli_nt_error(cli);
+ if (!cli_session_setup_blob_send(cli, msg1)) {
+ DEBUG(3, ("Failed to send NTLMSSP/SPNEGO blob to server!\n"));
+ nt_status = NT_STATUS_UNSUCCESSFUL;
+ } else {
+ data_blob_free(&msg1);
+
+ blob = cli_session_setup_blob_receive(cli);
+
+ nt_status = cli_nt_error(cli);
+ if (cli_is_error(cli) && NT_STATUS_IS_OK(nt_status)) {
+ if (cli->smb_rw_error == READ_BAD_SIG) {
+ nt_status = NT_STATUS_ACCESS_DENIED;
+ } else {
+ nt_status = NT_STATUS_UNSUCCESSFUL;
+ }
+ }
+ }
}
if (!blob.length) {
}
data_blob_free(&tmp_blob);
} else {
- /* the server might give us back two challenges */
if (!spnego_parse_auth_response(blob, nt_status,
&blob_in)) {
DEBUG(3,("Failed to parse auth response\n"));
} while (NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED));
if (NT_STATUS_IS_OK(nt_status)) {
- set_cli_session_key(cli, ntlmssp_state->session_key);
- }
- if (!NT_STATUS_IS_OK(ntlmssp_client_end(&ntlmssp_state))) {
- return False;
+ DATA_BLOB key = data_blob(ntlmssp_state->session_key.data,
+ ntlmssp_state->session_key.length);
+ DATA_BLOB null_blob = data_blob(NULL, 0);
+ BOOL res;
+
+ fstrcpy(cli->server_domain, ntlmssp_state->server_domain);
+ cli_set_session_key(cli, ntlmssp_state->session_key);
+
+ res = cli_simple_set_signing(cli, key, null_blob);
+
+ data_blob_free(&key);
+
+ if (res) {
+
+ /* 'resign' the last message, so we get the right sequence numbers
+ for checking the first reply from the server */
+ cli_calculate_sign_mac(cli);
+
+ if (!cli_check_sign_mac(cli)) {
+ nt_status = NT_STATUS_ACCESS_DENIED;
+ }
+ }
}
- return (NT_STATUS_IS_OK(nt_status));
+ /* we have a reference conter on ntlmssp_state, if we are signing
+ then the state will be kept by the signing engine */
+
+ ntlmssp_end(&ntlmssp_state);
+
+ return nt_status;
}
/****************************************************************************
Do a spnego encrypted session setup.
****************************************************************************/
-static BOOL cli_session_setup_spnego(struct cli_state *cli, const char *user,
- const char *pass, const char *workgroup)
+ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
+ const char *pass, const char *domain)
{
char *principal;
char *OIDs[ASN1_MAX_OIDS];
BOOL got_kerberos_mechanism = False;
DATA_BLOB blob;
- DEBUG(2,("Doing spnego session setup (blob length=%d)\n", cli->secblob.length));
+ DEBUG(3,("Doing spnego session setup (blob length=%lu)\n", (unsigned long)cli->secblob.length));
/* the server might not even do spnego */
if (cli->secblob.length <= 16) {
reply */
if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) {
data_blob_free(&blob);
- return False;
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
data_blob_free(&blob);
* and do not store results */
if (got_kerberos_mechanism && cli->use_kerberos) {
- if (*pass) {
+ ADS_STATUS rc;
+
+ if (pass && *pass) {
int ret;
use_in_memory_ccache();
- ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */);
+ ret = kerberos_kinit_password(user, pass, 0 /* no time correction for now */, NULL, NULL);
if (ret){
+ SAFE_FREE(principal);
DEBUG(0, ("Kinit failed: %s\n", error_message(ret)));
- return False;
+ if (cli->fallback_after_kerberos)
+ goto ntlmssp;
+ return ADS_ERROR_KRB5(ret);
}
}
- return cli_session_setup_kerberos(cli, principal, workgroup);
+ rc = cli_session_setup_kerberos(cli, principal, domain);
+ if (ADS_ERR_OK(rc) || !cli->fallback_after_kerberos) {
+ SAFE_FREE(principal);
+ return rc;
+ }
}
#endif
- free(principal);
+ SAFE_FREE(principal);
ntlmssp:
- return cli_session_setup_ntlmssp(cli, user, pass, workgroup);
+ return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain));
}
/****************************************************************************
/* if its an older server then we have to use the older request format */
- if (cli->protocol < PROTOCOL_NT1)
+ if (cli->protocol < PROTOCOL_NT1) {
+ if (!lp_client_lanman_auth() && passlen != 24 && (*pass)) {
+ DEBUG(1, ("Server requested LM password but 'client lanman auth'"
+ " is disabled\n"));
+ return False;
+ }
+
+ if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0 &&
+ !lp_client_plaintext_auth() && (*pass)) {
+ DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'"
+ " is disabled\n"));
+ return False;
+ }
+
return cli_session_setup_lanman2(cli, user, pass, passlen, workgroup);
+ }
/* if no user is supplied then we have to do an anonymous connection.
passwords are ignored */
password at this point. The password is sent in the tree
connect */
- if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0)
+ if ((cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) == 0)
return cli_session_setup_plaintext(cli, user, "", workgroup);
/* if the server doesn't support encryption then we have to use
plaintext. The second password is ignored */
- if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0)
+ if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) {
+ if (!lp_client_plaintext_auth() && (*pass)) {
+ DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'"
+ " is disabled\n"));
+ return False;
+ }
return cli_session_setup_plaintext(cli, user, pass, workgroup);
+ }
- /* Indidicate signing */
-
/* if the server supports extended security then use SPNEGO */
- if (cli->capabilities & CAP_EXTENDED_SECURITY)
- return cli_session_setup_spnego(cli, user, pass, workgroup);
+ if (cli->capabilities & CAP_EXTENDED_SECURITY) {
+ ADS_STATUS status = cli_session_setup_spnego(cli, user, pass, workgroup);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(3, ("SPNEGO login failed: %s\n", ads_errstr(status)));
+ return False;
+ }
+ return True;
+ }
/* otherwise do a NT1 style session setup */
if (!cli_receive_smb(cli))
return False;
- return !cli_is_error(cli);
+ if (cli_is_error(cli)) {
+ return False;
+ }
+
+ cli->cnum = -1;
+ return True;
}
/****************************************************************************
Send a tconX.
****************************************************************************/
-
BOOL cli_send_tconX(struct cli_state *cli,
const char *share, const char *dev, const char *pass, int passlen)
{
}
if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) && *pass && passlen != 24) {
+ if (!lp_client_lanman_auth()) {
+ DEBUG(1, ("Server requested LANMAN password (share-level security) but 'client use lanman auth'"
+ " is disabled\n"));
+ return False;
+ }
+
/*
* Non-encrypted passwords - convert to DOS codepage before encryption.
*/
SMBencrypt(pass,cli->secblob.data,(uchar *)pword);
} else {
if((cli->sec_mode & (NEGOTIATE_SECURITY_USER_LEVEL|NEGOTIATE_SECURITY_CHALLENGE_RESPONSE)) == 0) {
+ if (!lp_client_plaintext_auth() && (*pass)) {
+ DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'"
+ " is disabled\n"));
+ return False;
+ }
+
/*
* Non-encrypted passwords - convert to DOS codepage before using.
*/
- passlen = clistr_push(cli, pword, pass, -1, STR_TERMINATE);
+ passlen = clistr_push(cli, pword, pass, sizeof(pword), STR_TERMINATE);
+
} else {
memcpy(pword, pass, passlen);
}
memcpy(p,pword,passlen);
p += passlen;
p += clistr_push(cli, p, fullshare, -1, STR_TERMINATE |STR_UPPER);
- fstrcpy(p, dev); p += strlen(dev)+1;
+ p += clistr_push(cli, p, dev, -1, STR_TERMINATE |STR_UPPER | STR_ASCII);
cli_setup_bcc(cli, p);
clistr_pull(cli, cli->dev, smb_buf(cli->inbuf), sizeof(fstring), -1, STR_TERMINATE|STR_ASCII);
- if (strcasecmp(share,"IPC$")==0)
- fstrcpy(cli->dev, "IPC");
-
if (cli->protocol >= PROTOCOL_NT1 &&
smb_buflen(cli->inbuf) == 3) {
/* almost certainly win95 - enable bug fixes */
cli->win95 = True;
}
+
+ if ( cli->protocol >= PROTOCOL_LANMAN2 )
+ cli->dfsroot = (SVAL( cli->inbuf, smb_vwv2 ) & SMB_SHARE_IN_DFS);
cli->cnum = SVAL(cli->inbuf,smb_tid);
return True;
if (!cli_receive_smb(cli))
return False;
- return !cli_is_error(cli);
+ if (cli_is_error(cli)) {
+ return False;
+ }
+
+ cli->cnum = -1;
+ return True;
}
/****************************************************************************
int numprots;
int plength;
- if (cli->sign_info.use_smb_signing) {
- DEBUG(0, ("Cannot send negprot again, particularly after setting up SMB Signing\n"));
- return False;
- }
-
if (cli->protocol < PROTOCOL_NT1)
cli->use_spnego = False;
cli->protocol = prots[SVAL(cli->inbuf,smb_vwv0)].prot;
+ if ((cli->protocol < PROTOCOL_NT1) && cli->sign_info.mandatory_signing) {
+ DEBUG(0,("cli_negprot: SMB signing is mandatory and the selected protocol level doesn't support it.\n"));
+ return False;
+ }
+
if (cli->protocol >= PROTOCOL_NT1) {
/* NT protocol */
cli->sec_mode = CVAL(cli->inbuf,smb_vwv1);
smb_buflen(cli->inbuf)-8, STR_UNICODE|STR_NOALIGN);
}
- if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED))
- cli->sign_info.negotiated_smb_signing = True;
+ /*
+ * As signing is slow we only turn it on if either the client or
+ * the server require it. JRA.
+ */
- if ((cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) && cli->sign_info.allow_smb_signing)
+ if (cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) {
+ /* Fail if server says signing is mandatory and we don't want to support it. */
+ if (!cli->sign_info.allow_smb_signing) {
+ DEBUG(0,("cli_negprot: SMB signing is mandatory and we have disabled it.\n"));
+ return False;
+ }
cli->sign_info.negotiated_smb_signing = True;
+ cli->sign_info.mandatory_signing = True;
+ } else if (cli->sign_info.mandatory_signing && cli->sign_info.allow_smb_signing) {
+ /* Fail if client says signing is mandatory and the server doesn't support it. */
+ if (!(cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)) {
+ DEBUG(1,("cli_negprot: SMB signing is mandatory and the server doesn't support it.\n"));
+ return False;
+ }
+ cli->sign_info.negotiated_smb_signing = True;
+ cli->sign_info.mandatory_signing = True;
+ } else if (cli->sec_mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED) {
+ cli->sign_info.negotiated_smb_signing = True;
+ }
+
+ if (cli->capabilities & (CAP_LARGE_READX|CAP_LARGE_WRITEX)) {
+ SAFE_FREE(cli->outbuf);
+ SAFE_FREE(cli->inbuf);
+ cli->outbuf = (char *)SMB_MALLOC(CLI_MAX_LARGE_READX_SIZE+SAFETY_MARGIN);
+ cli->inbuf = (char *)SMB_MALLOC(CLI_MAX_LARGE_READX_SIZE+SAFETY_MARGIN);
+ cli->bufsize = CLI_MAX_LARGE_READX_SIZE;
+ }
} else if (cli->protocol >= PROTOCOL_LANMAN1) {
cli->use_spnego = False;
cli->sec_mode = SVAL(cli->inbuf,smb_vwv1);
cli->max_xmit = SVAL(cli->inbuf,smb_vwv2);
+ cli->max_mux = SVAL(cli->inbuf, smb_vwv3);
cli->sesskey = IVAL(cli->inbuf,smb_vwv6);
cli->serverzone = SVALS(cli->inbuf,smb_vwv10);
cli->serverzone *= 60;
if (cli->port == 445)
return True;
- if (cli->sign_info.use_smb_signing) {
- DEBUG(0, ("Cannot send session resquest again, particularly after setting up SMB Signing\n"));
- return False;
- }
-
/* send a session request (RFC 1002) */
/* setup the packet length
* Remove four bytes from the length count, since the length
Initialise client credentials for authenticated pipe access.
****************************************************************************/
-static void init_creds(struct ntuser_creds *creds, const char* username,
+void init_creds(struct ntuser_creds *creds, const char* username,
const char* domain, const char* password)
{
ZERO_STRUCTP(creds);
}
/**
- establishes a connection right up to doing tconX, password specified.
+ establishes a connection to after the negprot.
@param output_cli A fully initialised cli structure, non-null only on success
@param dest_host The netbios name of the remote host
@param dest_ip (optional) The the destination IP, NULL for name based lookup
@param port (optional) The destination port (0 for default)
- @param service (optional) The share to make the connection to. Should be 'unqualified' in any way.
- @param service_type The 'type' of serivice.
- @param user Username, unix string
- @param domain User's domain
- @param password User's password, unencrypted unix string.
@param retry BOOL. Did this connection fail with a retryable error ?
-*/
-NTSTATUS cli_full_connection(struct cli_state **output_cli,
- const char *my_name,
- const char *dest_host,
- struct in_addr *dest_ip, int port,
- const char *service, const char *service_type,
- const char *user, const char *domain,
- const char *password, int flags,
- BOOL *retry)
+*/
+NTSTATUS cli_start_connection(struct cli_state **output_cli,
+ const char *my_name,
+ const char *dest_host,
+ struct in_addr *dest_ip, int port,
+ int signing_state, int flags,
+ BOOL *retry)
{
- struct ntuser_creds creds;
NTSTATUS nt_status;
struct nmb_name calling;
struct nmb_name called;
again:
- DEBUG(3,("Connecting to host=%s share=%s\n", dest_host, service));
+ DEBUG(3,("Connecting to host=%s\n", dest_host));
if (!cli_connect(cli, dest_host, &ip)) {
DEBUG(1,("cli_full_connection: failed to connect to %s (%s)\n",
return NT_STATUS_UNSUCCESSFUL;
}
+ cli_setup_signing_state(cli, signing_state);
+
if (flags & CLI_FULL_CONNECTION_DONT_SPNEGO)
cli->use_spnego = False;
else if (flags & CLI_FULL_CONNECTION_USE_KERBEROS)
return nt_status;
}
+ *output_cli = cli;
+ return NT_STATUS_OK;
+}
+
+
+/**
+ establishes a connection right up to doing tconX, password specified.
+ @param output_cli A fully initialised cli structure, non-null only on success
+ @param dest_host The netbios name of the remote host
+ @param dest_ip (optional) The the destination IP, NULL for name based lookup
+ @param port (optional) The destination port (0 for default)
+ @param service (optional) The share to make the connection to. Should be 'unqualified' in any way.
+ @param service_type The 'type' of serivice.
+ @param user Username, unix string
+ @param domain User's domain
+ @param password User's password, unencrypted unix string.
+ @param retry BOOL. Did this connection fail with a retryable error ?
+*/
+
+NTSTATUS cli_full_connection(struct cli_state **output_cli,
+ const char *my_name,
+ const char *dest_host,
+ struct in_addr *dest_ip, int port,
+ const char *service, const char *service_type,
+ const char *user, const char *domain,
+ const char *password, int flags,
+ int signing_state,
+ BOOL *retry)
+{
+ struct ntuser_creds creds;
+ NTSTATUS nt_status;
+ struct cli_state *cli = NULL;
+
+ nt_status = cli_start_connection(&cli, my_name, dest_host,
+ dest_ip, port, signing_state, flags, retry);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
if (!cli_session_setup(cli, user, password, strlen(password)+1,
password, strlen(password)+1,
domain)) {
return True;
}
+
+
+
+
+
+/****************************************************************************
+ Send an old style tcon.
+****************************************************************************/
+NTSTATUS cli_raw_tcon(struct cli_state *cli,
+ const char *service, const char *pass, const char *dev,
+ uint16 *max_xmit, uint16 *tid)
+{
+ char *p;
+
+ if (!lp_client_plaintext_auth() && (*pass)) {
+ DEBUG(1, ("Server requested plaintext password but 'client use plaintext auth'"
+ " is disabled\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ memset(cli->outbuf,'\0',smb_size);
+ memset(cli->inbuf,'\0',smb_size);
+
+ set_message(cli->outbuf, 0, 0, True);
+ SCVAL(cli->outbuf,smb_com,SMBtcon);
+ cli_setup_packet(cli);
+
+ p = smb_buf(cli->outbuf);
+ *p++ = 4; p += clistr_push(cli, p, service, -1, STR_TERMINATE | STR_NOALIGN);
+ *p++ = 4; p += clistr_push(cli, p, pass, -1, STR_TERMINATE | STR_NOALIGN);
+ *p++ = 4; p += clistr_push(cli, p, dev, -1, STR_TERMINATE | STR_NOALIGN);
+
+ cli_setup_bcc(cli, p);
+
+ cli_send_smb(cli);
+ if (!cli_receive_smb(cli)) {
+ return NT_STATUS_UNEXPECTED_NETWORK_ERROR;
+ }
+
+ if (cli_is_error(cli)) {
+ return cli_nt_error(cli);
+ }
+
+ *max_xmit = SVAL(cli->inbuf, smb_vwv0);
+ *tid = SVAL(cli->inbuf, smb_vwv1);
+
+ return NT_STATUS_OK;
+}
+
+/* Return a cli_state pointing at the IPC$ share for the given server */
+
+struct cli_state *get_ipc_connect(char *server, struct in_addr *server_ip,
+ struct user_auth_info *user_info)
+{
+ struct cli_state *cli;
+ pstring myname;
+ NTSTATUS nt_status;
+
+ get_myname(myname);
+
+ nt_status = cli_full_connection(&cli, myname, server, server_ip, 0, "IPC$", "IPC",
+ user_info->username, lp_workgroup(), user_info->password,
+ CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, Undefined, NULL);
+
+ if (NT_STATUS_IS_OK(nt_status)) {
+ return cli;
+ } else if (is_ipaddress(server)) {
+ /* windows 9* needs a correct NMB name for connections */
+ fstring remote_name;
+
+ if (name_status_find("*", 0, 0, *server_ip, remote_name)) {
+ cli = get_ipc_connect(remote_name, server_ip, user_info);
+ if (cli)
+ return cli;
+ }
+ }
+ return NULL;
+}
+
+/*
+ * Given the IP address of a master browser on the network, return its
+ * workgroup and connect to it.
+ *
+ * This function is provided to allow additional processing beyond what
+ * get_ipc_connect_master_ip_bcast() does, e.g. to retrieve the list of master
+ * browsers and obtain each master browsers' list of domains (in case the
+ * first master browser is recently on the network and has not yet
+ * synchronized with other master browsers and therefore does not yet have the
+ * entire network browse list)
+ */
+
+struct cli_state *get_ipc_connect_master_ip(struct ip_service * mb_ip, pstring workgroup, struct user_auth_info *user_info)
+{
+ static fstring name;
+ struct cli_state *cli;
+ struct in_addr server_ip;
+
+ DEBUG(99, ("Looking up name of master browser %s\n",
+ inet_ntoa(mb_ip->ip)));
+
+ /*
+ * Do a name status query to find out the name of the master browser.
+ * We use <01><02>__MSBROWSE__<02>#01 if *#00 fails because a domain
+ * master browser will not respond to a wildcard query (or, at least,
+ * an NT4 server acting as the domain master browser will not).
+ *
+ * We might be able to use ONLY the query on MSBROWSE, but that's not
+ * yet been tested with all Windows versions, so until it is, leave
+ * the original wildcard query as the first choice and fall back to
+ * MSBROWSE if the wildcard query fails.
+ */
+ if (!name_status_find("*", 0, 0x1d, mb_ip->ip, name) &&
+ !name_status_find(MSBROWSE, 1, 0x1d, mb_ip->ip, name)) {
+
+ DEBUG(99, ("Could not retrieve name status for %s\n",
+ inet_ntoa(mb_ip->ip)));
+ return NULL;
+ }
+
+ if (!find_master_ip(name, &server_ip)) {
+ DEBUG(99, ("Could not find master ip for %s\n", name));
+ return NULL;
+ }
+
+ pstrcpy(workgroup, name);
+
+ DEBUG(4, ("found master browser %s, %s\n",
+ name, inet_ntoa(mb_ip->ip)));
+
+ cli = get_ipc_connect(inet_ntoa(server_ip), &server_ip, user_info);
+
+ return cli;
+
+}
+
+/*
+ * Return the IP address and workgroup of a master browser on the network, and
+ * connect to it.
+ */
+
+struct cli_state *get_ipc_connect_master_ip_bcast(pstring workgroup, struct user_auth_info *user_info)
+{
+ struct ip_service *ip_list;
+ struct cli_state *cli;
+ int i, count;
+
+ DEBUG(99, ("Do broadcast lookup for workgroups on local network\n"));
+
+ /* Go looking for workgroups by broadcasting on the local network */
+
+ if (!name_resolve_bcast(MSBROWSE, 1, &ip_list, &count)) {
+ DEBUG(99, ("No master browsers responded\n"));
+ return False;
+ }
+
+ for (i = 0; i < count; i++) {
+ DEBUG(99, ("Found master browser %s\n", inet_ntoa(ip_list[i].ip)));
+
+ cli = get_ipc_connect_master_ip(&ip_list[i], workgroup, user_info);
+ if (cli)
+ return(cli);
+ }
+
+ return NULL;
+}