X-Git-Url: http://git.samba.org/samba.git/?p=nivanova%2Fsamba-autobuild%2F.git;a=blobdiff_plain;f=source3%2Flibsmb%2Fcliconnect.c;h=68a953c196af1a5b8ad5db902f36af79ed500fe9;hp=dc3f236609f04cb8c75a474850d56f0afc8b6094;hb=d096de56b16c50c7cc22df08895dc29567ee15d7;hpb=7d17bfcf51880c84a2f2173c941f2955d045f5c5 diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index dc3f236609f..68a953c196a 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -19,10 +19,14 @@ */ #include "includes.h" +#include "popt_common.h" #include "../libcli/auth/libcli_auth.h" #include "../libcli/auth/spnego.h" #include "smb_krb5.h" #include "../libcli/auth/ntlmssp.h" +#include "libads/kerberos_proto.h" +#include "krb5_env.h" +#include "async_smb.h" static const struct { int prot; @@ -857,7 +861,7 @@ static struct tevent_req *cli_session_setup_kerberos_send( * Ok, this is cheating: spnego_gen_krb5_negTokenInit can block if * we have to acquire a ticket. To be fixed later :-) */ - rc = spnego_gen_krb5_negTokenInit(principal, 0, &state->negTokenTarg, + rc = spnego_gen_krb5_negTokenInit(state, principal, 0, &state->negTokenTarg, &state->session_key_krb5, 0, NULL); if (rc) { DEBUG(1, ("cli_session_setup_kerberos: " @@ -1033,7 +1037,7 @@ static struct tevent_req *cli_session_setup_ntlmssp_send( goto fail; } - state->blob_out = spnego_gen_negTokenInit(OIDs_ntlm, &blob_out, NULL); + state->blob_out = spnego_gen_negTokenInit(state, OIDs_ntlm, &blob_out, NULL); data_blob_free(&blob_out); subreq = cli_sesssetup_blob_send(state, ev, cli, state->blob_out); @@ -1098,11 +1102,11 @@ static void cli_session_setup_ntlmssp_done(struct tevent_req *subreq) && NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { DATA_BLOB tmp_blob = data_blob_null; /* the server might give us back two challenges */ - parse_ret = spnego_parse_challenge(blob_in, &msg_in, + parse_ret = spnego_parse_challenge(state, blob_in, &msg_in, &tmp_blob); data_blob_free(&tmp_blob); } else { - parse_ret = spnego_parse_auth_response(blob_in, status, + parse_ret = spnego_parse_auth_response(state, blob_in, status, OID_NTLMSSP, &msg_in); } state->turn += 1; @@ -1128,7 +1132,7 @@ static void cli_session_setup_ntlmssp_done(struct tevent_req *subreq) return; } - state->blob_out = spnego_gen_auth(blob_out); + state->blob_out = spnego_gen_auth(state, blob_out); TALLOC_FREE(subreq); if (tevent_req_nomem(state->blob_out.data, req)) { return; @@ -1225,7 +1229,8 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, * negprot reply. It is WRONG to depend on the principal sent in the * negprot reply, but right now we do it. If we don't receive one, * we try to best guess, then fall back to NTLM. */ - if (!spnego_parse_negTokenInit(blob, OIDs, &principal, NULL)) { + if (!spnego_parse_negTokenInit(talloc_tos(), blob, OIDs, &principal, NULL) || + OIDs[0] == NULL) { data_blob_free(&blob); return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } @@ -1248,6 +1253,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, status = cli_set_username(cli, user); if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(principal); return ADS_ERROR_NT(status); } @@ -1273,10 +1279,9 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, } } - /* If we get a bad principal, try to guess it if - we have a valid host NetBIOS name. + /* We may not be allowed to use the server-supplied SPNEGO principal, or it may not have been supplied to us */ - if (strequal(principal, ADS_IGNORE_PRINCIPAL)) { + if (!lp_client_use_spnego_principal() || strequal(principal, ADS_IGNORE_PRINCIPAL)) { TALLOC_FREE(principal); } @@ -1285,23 +1290,11 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, !strequal(STAR_SMBSERVER, cli->desthost)) { char *realm = NULL; - char *machine = NULL; char *host = NULL; - DEBUG(3,("cli_session_setup_spnego: got a " - "bad server principal, trying to guess ...\n")); + DEBUG(3,("cli_session_setup_spnego: using target " + "hostname not SPNEGO principal\n")); host = strchr_m(cli->desthost, '.'); - if (host) { - /* We had a '.' in the name. */ - machine = SMB_STRNDUP(cli->desthost, - host - cli->desthost); - } else { - machine = SMB_STRDUP(cli->desthost); - } - if (machine == NULL) { - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - } - if (dest_realm) { realm = SMB_STRDUP(dest_realm); strupper_m(realm); @@ -1316,21 +1309,11 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, } if (realm && *realm) { - if (host) { - /* DNS name. */ - principal = talloc_asprintf(talloc_tos(), - "cifs/%s@%s", - cli->desthost, - realm); - } else { - /* NetBIOS name, use machine account. */ - principal = talloc_asprintf(talloc_tos(), - "%s$@%s", - machine, - realm); - } + principal = talloc_asprintf(talloc_tos(), + "cifs/%s@%s", + cli->desthost, + realm); if (!principal) { - SAFE_FREE(machine); SAFE_FREE(realm); return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } @@ -1338,7 +1321,6 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, "server principal=%s\n", principal ? principal : "")); } - SAFE_FREE(machine); SAFE_FREE(realm); } @@ -1417,15 +1399,15 @@ NTSTATUS cli_session_setup(struct cli_state *cli, if (cli->protocol < PROTOCOL_NT1) { if (!lp_client_lanman_auth() && passlen != 24 && (*pass)) { - DEBUG(1, ("Server requested LM password but 'client lanman auth'" - " is disabled\n")); + DEBUG(1, ("Server requested LM password but 'client lanman auth = no'" + " or 'client ntlmv2 auth = yes'\n")); return NT_STATUS_ACCESS_DENIED; } if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0 && !lp_client_plaintext_auth() && (*pass)) { - DEBUG(1, ("Server requested plaintext password but " - "'client plaintext auth' is disabled\n")); + DEBUG(1, ("Server requested LM password but 'client plaintext auth = no'" + " or 'client ntlmv2 auth = yes'\n")); return NT_STATUS_ACCESS_DENIED; } @@ -1451,8 +1433,8 @@ NTSTATUS cli_session_setup(struct cli_state *cli, if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) { if (!lp_client_plaintext_auth() && (*pass)) { - DEBUG(1, ("Server requested plaintext password but " - "'client plaintext auth' is disabled\n")); + DEBUG(1, ("Server requested LM password but 'client plaintext auth = no'" + " or 'client ntlmv2 auth = yes'\n")); return NT_STATUS_ACCESS_DENIED; } return cli_session_setup_plaintext(cli, user, pass, workgroup); @@ -1493,7 +1475,7 @@ NTSTATUS cli_session_setup(struct cli_state *cli, struct cli_ulogoff_state { struct cli_state *cli; - uint16_t vwv[2]; + uint16_t vwv[3]; }; static void cli_ulogoff_done(struct tevent_req *subreq); @@ -1627,7 +1609,7 @@ struct tevent_req *cli_tcon_andx_create(TALLOC_CTX *mem_ctx, if (!lp_client_lanman_auth()) { DEBUG(1, ("Server requested LANMAN password " "(share-level security) but " - "'client lanman auth' is disabled\n")); + "'client lanman auth = no' or 'client ntlmv2 auth = yes'\n")); goto access_denied; } @@ -1643,8 +1625,8 @@ struct tevent_req *cli_tcon_andx_create(TALLOC_CTX *mem_ctx, == 0) { if (!lp_client_plaintext_auth() && (*pass)) { DEBUG(1, ("Server requested plaintext " - "password but 'client plaintext " - "auth' is disabled\n")); + "password but " + "'client lanman auth = no' or 'client ntlmv2 auth = yes'\n")); goto access_denied; } @@ -2130,6 +2112,11 @@ static void cli_negprot_done(struct tevent_req *subreq) SAFE_FREE(cli->inbuf); cli->outbuf = (char *)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+LARGE_WRITEX_HDR_SIZE+SAFETY_MARGIN); cli->inbuf = (char *)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+LARGE_WRITEX_HDR_SIZE+SAFETY_MARGIN); + if (!cli->outbuf || !cli->inbuf) { + tevent_req_nterror(req, + NT_STATUS_NO_MEMORY); + return; + } cli->bufsize = CLI_SAMBA_MAX_LARGE_READX_SIZE + LARGE_WRITEX_HDR_SIZE; } @@ -2142,8 +2129,8 @@ static void cli_negprot_done(struct tevent_req *subreq) cli->serverzone = SVALS(vwv + 10, 0); cli->serverzone *= 60; /* this time is converted to GMT by make_unix_date */ - cli->servertime = cli_make_unix_date( - cli, (char *)(vwv + 8)); + cli->servertime = make_unix_date( + (char *)(vwv + 8), cli->serverzone); cli->readbraw_supported = ((SVAL(vwv + 5, 0) & 0x1) != 0); cli->writebraw_supported = ((SVAL(vwv + 5, 0) & 0x2) != 0); cli->secblob = data_blob(bytes, num_bytes); @@ -2218,6 +2205,7 @@ bool cli_session_request(struct cli_state *cli, { char *p; int len = 4; + int namelen = 0; char *tmp; /* 445 doesn't have session request */ @@ -2236,8 +2224,11 @@ bool cli_session_request(struct cli_state *cli, } p = cli->outbuf+len; - memcpy(p, tmp, name_len(tmp)); - len += name_len(tmp); + namelen = name_len((unsigned char *)tmp, talloc_get_size(tmp)); + if (namelen > 0) { + memcpy(p, tmp, namelen); + len += namelen; + } TALLOC_FREE(tmp); /* and my name */ @@ -2249,8 +2240,11 @@ bool cli_session_request(struct cli_state *cli, } p = cli->outbuf+len; - memcpy(p, tmp, name_len(tmp)); - len += name_len(tmp); + namelen = name_len((unsigned char *)tmp, talloc_get_size(tmp)); + if (namelen > 0) { + memcpy(p, tmp, namelen); + len += namelen; + } TALLOC_FREE(tmp); /* send a session request (RFC 1002) */ @@ -2610,7 +2604,6 @@ again: @param user Username, unix string @param domain User's domain @param password User's password, unencrypted unix string. - @param retry bool. Did this connection fail with a retryable error ? */ NTSTATUS cli_full_connection(struct cli_state **output_cli, @@ -2620,8 +2613,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, const char *service, const char *service_type, const char *user, const char *domain, const char *password, int flags, - int signing_state, - bool *retry) + int signing_state) { NTSTATUS nt_status; struct cli_state *cli = NULL; @@ -2635,7 +2627,7 @@ NTSTATUS cli_full_connection(struct cli_state **output_cli, nt_status = cli_start_connection(&cli, my_name, dest_host, dest_ss, port, signing_state, - flags, retry); + flags, NULL); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; @@ -2816,7 +2808,7 @@ struct cli_state *get_ipc_connect(char *server, lp_workgroup(), user_info->password ? user_info->password : "", flags, - Undefined, NULL); + Undefined); if (NT_STATUS_IS_OK(nt_status)) { return cli;