Merge from 3.0:

 - NTLM2 fixes, don't force NTLM2
 - Don't use NTLM2 for RPC, it doesn't work yet
 - Add comments to winbindd_pam.c
 - Merge 64 bit fixes and better debug messages in winbindd.c

Andrew Bartlett
(This used to be commit ba94e4a1ab6dc3335bbb29686ca6795d0ffad5b0)

diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
index a0da1efcc10965323d66cd4c094b180884af8117..d36119604710aff423bb4462427b27a0afeddf22 100644 (file)
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -774,8 +774,6 @@ static NTSTATUS ntlmssp_client_initial(struct ntlmssp_state *ntlmssp_state,
                ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
        }
 
-       ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
-       
        /* generate the ntlmssp negotiate packet */
        msrpc_gen(next_request, "CddAA",
                  "NTLMSSP",
@@ -812,6 +810,7 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
        DATA_BLOB nt_response = data_blob(NULL, 0);
        DATA_BLOB session_key = data_blob(NULL, 0);
        DATA_BLOB encrypted_session_key = data_blob(NULL, 0);
+       NTSTATUS nt_status;
 
        if (!msrpc_parse(&reply, "CdBd",
                         "NTLMSSP",
@@ -1002,6 +1001,11 @@ static NTSTATUS ntlmssp_client_challenge(struct ntlmssp_state *ntlmssp_state,
 
        ntlmssp_state->expected_state = NTLMSSP_UNKNOWN;
 
+       if (!NT_STATUS_IS_OK(nt_status = ntlmssp_sign_init(ntlmssp_state))) {
+               DEBUG(1, ("Could not setup NTLMSSP signing/sealing system (error was: %s)\n", nt_errstr(nt_status)));
+               return nt_status;
+       }
+
        return NT_STATUS_MORE_PROCESSING_REQUIRED;
 }
 

diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c
index 4f161604b5d3bd01cf1fff65bfa22ad4684a1636..4b47ac13a2f3cbe3d149999ec636ba680078f57f 100644 (file)
--- a/source3/nsswitch/winbindd.c
+++ b/source3/nsswitch/winbindd.c
@@ -452,7 +452,7 @@ void winbind_client_read(struct winbindd_cli_state *state)
                 (char *)&state->request, 
                 sizeof(state->request) - state->read_buf_len);
        
-       DEBUG(10,("client_read: read %d bytes. Need %d more for a full request.\n", n, sizeof(state->request) - n - state->read_buf_len ));
+       DEBUG(10,("client_read: read %d bytes. Need %ld more for a full request.\n", n, (unsigned long)(sizeof(state->request) - n - state->read_buf_len) ));
 
        /* Read failed, kill client */
        
@@ -719,8 +719,8 @@ static void process_loop(void)
 
                                        if (state->read_buf_len >= sizeof(uint32)
                                            && *(uint32 *) &state->request != sizeof(state->request)) {
-                                               DEBUG(0,("process_loop: Invalid request size from pid %lu: %d bytes sent, should be %d\n",
-                                                               (unsigned long)state->request.pid, *(uint32 *) &state->request, sizeof(state->request)));
+                                               DEBUG(0,("process_loop: Invalid request size from pid %lu: %d bytes sent, should be %ld\n",
+                                                               (unsigned long)state->request.pid, *(uint32 *) &state->request, (unsigned long)sizeof(state->request)));
 
                                                remove_client(state);
                                                break;

diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 993e7d68ff8ef2da178b3011da511bea479f6d48..99621057874b6ef522b726b68f8b4f4723f61499 100644 (file)
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -383,6 +383,8 @@ done:
        
        state->response.data.auth.nt_status = NT_STATUS_V(result);
        push_utf8_fstring(state->response.data.auth.nt_status_string, nt_errstr(result));
+       
+       /* we might have given a more useful error above */
        if (!*state->response.data.auth.error_string) 
                push_utf8_fstring(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
        state->response.data.auth.pam_error = nt_status_to_pam(result);

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 751777792028649c1c5659cbb32cd5e7b3e3a11d..49abf787eed590562fb7c150f49cc645d219401e 100644 (file)
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -822,14 +822,6 @@ static NTSTATUS create_rpc_bind_resp(struct cli_state *cli,
                return NT_STATUS_NO_MEMORY;
        }
 
-       if (cli->pipe_auth_flags & AUTH_PIPE_SIGN) {
-               nt_status = ntlmssp_sign_init(cli->ntlmssp_pipe_state);
-               
-               if (!NT_STATUS_IS_OK(nt_status)) {
-                       return nt_status;
-               }
-       }
-
        data_blob_free(&ntlmssp_reply);
        return NT_STATUS_OK;
 }
@@ -1336,6 +1328,10 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, int pipe_idx, const char *my_na
                if (!NT_STATUS_IS_OK(nt_status))
                        return False;
 
+               /* Currently the NTLMSSP code does not implement NTLM2 correctly for signing or sealing */
+
+               cli->ntlmssp_pipe_state->neg_flags &= ~NTLMSSP_NEGOTIATE_NTLM2;
+
                nt_status = ntlmssp_set_username(cli->ntlmssp_pipe_state, 
                                                 cli->user_name);
                if (!NT_STATUS_IS_OK(nt_status))