static void reply_nt1(struct smb_request *req, uint16 choice)
{
/* dual names + lock_and_read + nt SMBs + remote API calls */
int capabilities = CAP_NT_FIND|CAP_LOCK_AND_READ|
CAP_LEVEL_II_OPLOCKS;
int secword=0;
bool negotiate_spnego = False;
struct timespec ts;
ssize_t ret;
struct smbd_server_connection *sconn = req->sconn;
bool signing_enabled = false;
bool signing_required = false;
sconn->smb1.negprot.encrypted_passwords = lp_encrypt_passwords();
/* Check the flags field to see if this is Vista.
WinXP sets it and Vista does not. But we have to
distinguish from NT which doesn't set it either. */
if ( (req->flags2 & FLAGS2_EXTENDED_SECURITY) &&
((req->flags2 & FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED) == 0) )
{
if (get_remote_arch() != RA_SAMBA) {
set_remote_arch( RA_VISTA );
}
}
reply_outbuf(req,17,0);
/* do spnego in user level security if the client
supports it and we can do encrypted passwords */
if (sconn->smb1.negprot.encrypted_passwords &&
lp_use_spnego() &&
(req->flags2 & FLAGS2_EXTENDED_SECURITY)) {
negotiate_spnego = True;
capabilities |= CAP_EXTENDED_SECURITY;
add_to_common_flags2(FLAGS2_EXTENDED_SECURITY);
/* Ensure FLAGS2_EXTENDED_SECURITY gets set in this reply
(already partially constructed. */
SSVAL(req->outbuf, smb_flg2,
req->flags2 | FLAGS2_EXTENDED_SECURITY);
}
capabilities |= CAP_NT_SMBS|CAP_RPC_REMOTE_APIS;
if (lp_unicode()) {
capabilities |= CAP_UNICODE;
}
if (lp_unix_extensions()) {
capabilities |= CAP_UNIX;
}
if (lp_large_readwrite())
capabilities |= CAP_LARGE_READX|CAP_LARGE_WRITEX|CAP_W2K_SMBS;
capabilities |= CAP_LARGE_FILES;
if (!lp_async_smb_echo_handler() && lp_read_raw() && lp_write_raw())
capabilities |= CAP_RAW_MODE;
if (lp_nt_status_support())
capabilities |= CAP_STATUS32;
if (lp_host_msdfs())
capabilities |= CAP_DFS;
secword |= NEGOTIATE_SECURITY_USER_LEVEL;
if (sconn->smb1.negprot.encrypted_passwords) {
secword |= NEGOTIATE_SECURITY_CHALLENGE_RESPONSE;
}
signing_enabled = smb_signing_is_allowed(req->sconn->smb1.signing_state);
signing_required = smb_signing_is_mandatory(req->sconn->smb1.signing_state);
if (signing_enabled) {
secword |= NEGOTIATE_SECURITY_SIGNATURES_ENABLED;
/* No raw mode with smb signing. */
capabilities &= ~CAP_RAW_MODE;
if (signing_required) {
secword |=NEGOTIATE_SECURITY_SIGNATURES_REQUIRED;
}
}
SSVAL(req->outbuf,smb_vwv0,choice);
SCVAL(req->outbuf,smb_vwv1,secword);
smbXsrv_connection_init_tables(req->sconn->conn, PROTOCOL_NT1);
SSVAL(req->outbuf,smb_vwv1+1, lp_max_mux()); /* maxmpx */
SSVAL(req->outbuf,smb_vwv2+1, 1); /* num vcs */
SIVAL(req->outbuf,smb_vwv3+1,
sconn->smb1.negprot.max_recv); /* max buffer. LOTS! */
SIVAL(req->outbuf,smb_vwv5+1, 0x10000); /* raw size. full 64k */
SIVAL(req->outbuf,smb_vwv7+1, getpid()); /* session key */
SIVAL(req->outbuf,smb_vwv9+1, capabilities); /* capabilities */
clock_gettime(CLOCK_REALTIME,&ts);
put_long_date_timespec(TIMESTAMP_SET_NT_OR_BETTER,(char *)req->outbuf+smb_vwv11+1,ts);
SSVALS(req->outbuf,smb_vwv15+1,set_server_zone_offset(ts.tv_sec)/60);
if (!negotiate_spnego) {
/* Create a token value and add it to the outgoing packet. */
if (sconn->smb1.negprot.encrypted_passwords) {
uint8 chal[8];
/* note that we do not send a challenge at all if
we are using plaintext */
get_challenge(sconn, chal);
ret = message_push_blob(
&req->outbuf, data_blob_const(chal, sizeof(chal)));
if (ret == -1) {
DEBUG(0, ("Could not push challenge\n"));
reply_nterror(req, NT_STATUS_NO_MEMORY);
return;
}
SCVAL(req->outbuf, smb_vwv16+1, ret);
}
ret = message_push_string(&req->outbuf, lp_workgroup(),
STR_UNICODE|STR_TERMINATE
|STR_NOALIGN);
if (ret == -1) {
DEBUG(0, ("Could not push workgroup string\n"));
reply_nterror(req, NT_STATUS_NO_MEMORY);
return;
}
ret = message_push_string(&req->outbuf, lp_netbios_name(),
STR_UNICODE|STR_TERMINATE
|STR_NOALIGN);
if (ret == -1) {
DEBUG(0, ("Could not push netbios name string\n"));
reply_nterror(req, NT_STATUS_NO_MEMORY);
return;
}
DEBUG(3,("not using SPNEGO\n"));
} else {
DATA_BLOB spnego_blob = negprot_spnego(req, req->sconn);
if (spnego_blob.data == NULL) {
reply_nterror(req, NT_STATUS_NO_MEMORY);
return;
}
ret = message_push_blob(&req->outbuf, spnego_blob);
if (ret == -1) {
DEBUG(0, ("Could not push spnego blob\n"));
reply_nterror(req, NT_STATUS_NO_MEMORY);
return;
}
data_blob_free(&spnego_blob);
SCVAL(req->outbuf,smb_vwv16+1, 0);
DEBUG(3,("using SPNEGO\n"));
}
return;
}
struct cli_state *cli_state_create(TALLOC_CTX *mem_ctx,
int fd,
const char *remote_name,
const char *remote_realm,
int signing_state, int flags)
{
struct cli_state *cli = NULL;
bool use_spnego = lp_client_use_spnego();
bool force_dos_errors = false;
bool force_ascii = false;
bool use_level_II_oplocks = false;
uint32_t smb1_capabilities = 0;
uint32_t smb2_capabilities = 0;
struct GUID client_guid = GUID_random();
/* Check the effective uid - make sure we are not setuid */
if (is_setuid_root()) {
DEBUG(0,("libsmb based programs must *NOT* be setuid root.\n"));
return NULL;
}
cli = talloc_zero(mem_ctx, struct cli_state);
if (!cli) {
return NULL;
}
cli->server_domain = talloc_strdup(cli, "");
if (!cli->server_domain) {
goto error;
}
cli->server_os = talloc_strdup(cli, "");
if (!cli->server_os) {
goto error;
}
cli->server_type = talloc_strdup(cli, "");
if (!cli->server_type) {
goto error;
}
cli->dfs_mountpoint = talloc_strdup(cli, "");
if (!cli->dfs_mountpoint) {
goto error;
}
cli->raw_status = NT_STATUS_INTERNAL_ERROR;
cli->map_dos_errors = true; /* remove this */
cli->timeout = CLIENT_TIMEOUT;
cli->case_sensitive = false;
/* Set the CLI_FORCE_DOSERR environment variable to test
client routines using DOS errors instead of STATUS32
ones. This intended only as a temporary hack. */
if (getenv("CLI_FORCE_DOSERR")) {
force_dos_errors = true;
}
if (flags & CLI_FULL_CONNECTION_FORCE_DOS_ERRORS) {
force_dos_errors = true;
}
if (getenv("CLI_FORCE_ASCII")) {
force_ascii = true;
}
if (!lp_unicode()) {
force_ascii = true;
}
if (flags & CLI_FULL_CONNECTION_FORCE_ASCII) {
force_ascii = true;
}
if (flags & CLI_FULL_CONNECTION_DONT_SPNEGO) {
use_spnego = false;
} else if (flags & CLI_FULL_CONNECTION_USE_KERBEROS) {
cli->use_kerberos = true;
}
if ((flags & CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS) &&
cli->use_kerberos) {
cli->fallback_after_kerberos = true;
}
if (flags & CLI_FULL_CONNECTION_USE_CCACHE) {
cli->use_ccache = true;
}
if (flags & CLI_FULL_CONNECTION_USE_NT_HASH) {
cli->pw_nt_hash = true;
}
if (flags & CLI_FULL_CONNECTION_OPLOCKS) {
cli->use_oplocks = true;
}
if (flags & CLI_FULL_CONNECTION_LEVEL_II_OPLOCKS) {
use_level_II_oplocks = true;
}
if (signing_state == SMB_SIGNING_DEFAULT) {
signing_state = lp_client_signing();
}
smb1_capabilities = 0;
smb1_capabilities |= CAP_LARGE_FILES;
smb1_capabilities |= CAP_NT_SMBS | CAP_RPC_REMOTE_APIS;
smb1_capabilities |= CAP_LOCK_AND_READ | CAP_NT_FIND;
smb1_capabilities |= CAP_DFS | CAP_W2K_SMBS;
smb1_capabilities |= CAP_LARGE_READX|CAP_LARGE_WRITEX;
smb1_capabilities |= CAP_LWIO;
if (!force_dos_errors) {
smb1_capabilities |= CAP_STATUS32;
}
if (!force_ascii) {
smb1_capabilities |= CAP_UNICODE;
}
if (use_spnego) {
smb1_capabilities |= CAP_EXTENDED_SECURITY;
}
if (use_level_II_oplocks) {
smb1_capabilities |= CAP_LEVEL_II_OPLOCKS;
}
smb2_capabilities = SMB2_CAP_ALL;
if (remote_realm) {
cli->remote_realm = talloc_strdup(cli, remote_realm);
if (cli->remote_realm == NULL) {
goto error;
}
}
cli->conn = smbXcli_conn_create(cli, fd, remote_name,
signing_state,
smb1_capabilities,
&client_guid,
smb2_capabilities);
if (cli->conn == NULL) {
goto error;
}
cli->smb1.pid = (uint16_t)getpid();
cli->smb1.vc_num = cli->smb1.pid;
cli->smb1.tcon = smbXcli_tcon_create(cli);
if (cli->smb1.tcon == NULL) {
goto error;
}
smb1cli_tcon_set_id(cli->smb1.tcon, UINT16_MAX);
cli->smb1.session = smbXcli_session_create(cli, cli->conn);
if (cli->smb1.session == NULL) {
goto error;
}
cli->initialised = 1;
return cli;
/* Clean up after malloc() error */
error:
TALLOC_FREE(cli);
return NULL;
}