#include "../libcli/auth/spnego.h"
#include "serverid.h"
#include "auth.h"
-#include "ntlmssp_wrap.h"
#include "messages.h"
#include "smbprofile.h"
#include "auth/gensec/gensec.h"
#ifdef DEVELOPER
size_t slen;
#endif
- const char *OIDs_krb5[] = {OID_KERBEROS5,
- OID_KERBEROS5_OLD,
- OID_NTLMSSP,
- NULL};
- const char *OIDs_ntlm[] = {OID_NTLMSSP, NULL};
- struct auth_generic_state *auth_ntlmssp_state;
-
- sconn->use_gensec_hook = false;
-
- /* See if we can get an SPNEGO blob out of the gensec hook (if auth_samba4 is loaded) */
- status = auth_generic_prepare(sconn->remote_address,
- &auth_ntlmssp_state);
+ struct gensec_security *gensec_security;
+
+ /* See if we can get an SPNEGO blob */
+ status = auth_generic_prepare(talloc_tos(),
+ sconn->remote_address,
+ &gensec_security);
if (NT_STATUS_IS_OK(status)) {
- status = auth_generic_start(auth_ntlmssp_state, GENSEC_OID_SPNEGO);
+ status = gensec_start_mech_by_oid(gensec_security, GENSEC_OID_SPNEGO);
if (NT_STATUS_IS_OK(status)) {
- status = gensec_update(auth_ntlmssp_state->gensec_security, ctx,
+ status = gensec_update(gensec_security, ctx,
NULL, data_blob_null, &blob);
/* If we get the list of OIDs, the 'OK' answer
* is NT_STATUS_MORE_PROCESSING_REQUIRED */
- if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- sconn->use_gensec_hook = true;
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ DEBUG(0, ("Failed to start SPNEGO handler for negprot OID list!\n"));
+ blob = data_blob_null;
}
}
- TALLOC_FREE(auth_ntlmssp_state);
+ TALLOC_FREE(gensec_security);
}
sconn->smb1.negprot.spnego = true;
*/
- if (sconn->use_gensec_hook) {
- /* blob initialised above */
- } else if (lp_security() != SEC_ADS && !USE_KERBEROS_KEYTAB) {
-#if 0
- /* Code for PocketPC client */
- blob = data_blob(guid, 16);
-#else
- /* Code for standalone WXP client */
- blob = spnego_gen_negTokenInit(ctx, OIDs_ntlm, NULL, "NONE");
-#endif
- } else if (!lp_send_spnego_principal()) {
- /* By default, Windows 2008 and later sends not_defined_in_RFC4178@please_ignore */
- blob = spnego_gen_negTokenInit(ctx, OIDs_krb5, NULL, ADS_IGNORE_PRINCIPAL);
- } else {
- fstring myname;
- char *host_princ_s = NULL;
- name_to_fqdn(myname, lp_netbios_name());
- strlower_m(myname);
- if (asprintf(&host_princ_s, "cifs/%s@%s", myname, lp_realm())
- == -1) {
- return data_blob_null;
- }
- blob = spnego_gen_negTokenInit(ctx, OIDs_krb5, NULL, host_princ_s);
- SAFE_FREE(host_princ_s);
- }
-
if (blob.length == 0 || blob.data == NULL) {
return data_blob_null;
}
supports it and we can do encrypted passwords */
if (sconn->smb1.negprot.encrypted_passwords &&
- (lp_security() != SEC_SHARE) &&
lp_use_spnego() &&
(req->flags2 & FLAGS2_EXTENDED_SECURITY)) {
negotiate_spnego = True;
/* Check for protocols, most desirable first */
for (protocol = 0; supported_protocols[protocol].proto_name; protocol++) {
i = 0;
- if ((supported_protocols[protocol].protocol_level <= lp_maxprotocol()) &&
- (supported_protocols[protocol].protocol_level >= lp_minprotocol()))
+ if ((supported_protocols[protocol].protocol_level <= lp_srv_maxprotocol()) &&
+ (supported_protocols[protocol].protocol_level >= lp_srv_minprotocol()))
while (i < num_cliprotos) {
if (strequal(cliprotos[i],supported_protocols[protocol].proto_name))
choice = i;