static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session, struct smbd_smb2_request *smb2req, uint8_t in_security_mode, DATA_BLOB in_security_buffer, uint16_t *out_session_flags, DATA_BLOB *out_security_buffer, uint64_t *out_session_id) { NTSTATUS status; if (session->auth_ntlmssp_state == NULL) { status = auth_ntlmssp_prepare(session->sconn->remote_address, &session->auth_ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session); return status; } auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY); if (session->sconn->use_gensec_hook) { status = auth_generic_start(session->auth_ntlmssp_state, GENSEC_OID_SPNEGO); } else { status = auth_ntlmssp_start(session->auth_ntlmssp_state); } if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session); return status; } } /* RAW NTLMSSP */ status = auth_ntlmssp_update(session->auth_ntlmssp_state, smb2req, in_security_buffer, out_security_buffer); if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { *out_session_id = session->vuid; return status; } status = auth_ntlmssp_session_info(session, session->auth_ntlmssp_state, &session->session_info); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session->auth_ntlmssp_state); TALLOC_FREE(session); return status; } *out_session_id = session->vuid; return smbd_smb2_common_ntlmssp_auth_return(session, smb2req, in_security_mode, in_security_buffer, out_session_flags, out_session_id); }
static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session, struct smbd_smb2_request *smb2req, uint8_t in_security_mode, DATA_BLOB in_security_buffer, uint16_t *out_session_flags, DATA_BLOB *out_security_buffer, uint64_t *out_session_id) { NTSTATUS status; DATA_BLOB secblob_out = data_blob_null; *out_security_buffer = data_blob_null; if (session->auth_ntlmssp_state == NULL) { status = auth_ntlmssp_start(&session->auth_ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session); return status; } } /* RAW NTLMSSP */ status = auth_ntlmssp_update(session->auth_ntlmssp_state, in_security_buffer, &secblob_out); if (NT_STATUS_IS_OK(status) || NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { *out_security_buffer = data_blob_talloc(smb2req, secblob_out.data, secblob_out.length); if (secblob_out.data && out_security_buffer->data == NULL) { TALLOC_FREE(session->auth_ntlmssp_state); TALLOC_FREE(session); return NT_STATUS_NO_MEMORY; } } if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { *out_session_id = session->vuid; return status; } status = setup_ntlmssp_session_info(session, status); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session->auth_ntlmssp_state); TALLOC_FREE(session); return status; } *out_session_id = session->vuid; return smbd_smb2_common_ntlmssp_auth_return(session, smb2req, in_security_mode, in_security_buffer, out_session_flags, out_session_id); }
static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session, struct smbd_smb2_request *smb2req, uint8_t in_security_mode, DATA_BLOB in_security_buffer, uint16_t *out_session_flags, DATA_BLOB *out_security_buffer, uint64_t *out_session_id) { DATA_BLOB auth = data_blob_null; DATA_BLOB auth_out = data_blob_null; NTSTATUS status; if (!spnego_parse_auth(talloc_tos(), in_security_buffer, &auth)) { TALLOC_FREE(session); return NT_STATUS_LOGON_FAILURE; } if (auth.data[0] == ASN1_APPLICATION(0)) { /* Might be a second negTokenTarg packet */ DATA_BLOB secblob_in = data_blob_null; char *kerb_mech = NULL; status = parse_spnego_mechanisms(talloc_tos(), in_security_buffer, &secblob_in, &kerb_mech); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session); return status; } #ifdef HAVE_KRB5 if (kerb_mech && ((lp_security()==SEC_ADS) || USE_KERBEROS_KEYTAB) ) { status = smbd_smb2_session_setup_krb5(session, smb2req, in_security_mode, &secblob_in, kerb_mech, out_session_flags, out_security_buffer, out_session_id); data_blob_free(&secblob_in); TALLOC_FREE(kerb_mech); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session); } return status; } #endif /* Can't blunder into NTLMSSP auth if we have * a krb5 ticket. */ if (kerb_mech) { DEBUG(3,("smb2: network " "misconfiguration, client sent us a " "krb5 ticket and kerberos security " "not enabled\n")); TALLOC_FREE(session); data_blob_free(&secblob_in); TALLOC_FREE(kerb_mech); return NT_STATUS_LOGON_FAILURE; } data_blob_free(&secblob_in); } if (session->auth_ntlmssp_state == NULL) { status = auth_ntlmssp_prepare(session->sconn->remote_address, &session->auth_ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { data_blob_free(&auth); TALLOC_FREE(session); return status; } auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY); status = auth_ntlmssp_start(session->auth_ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { data_blob_free(&auth); TALLOC_FREE(session); return status; } } status = auth_ntlmssp_update(session->auth_ntlmssp_state, talloc_tos(), auth, &auth_out); /* If status is NT_STATUS_OK then we need to get the token. * Map to guest is now internal to auth_ntlmssp */ if (NT_STATUS_IS_OK(status)) { status = auth_ntlmssp_session_info(session, session->auth_ntlmssp_state, &session->session_info); } if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { TALLOC_FREE(session->auth_ntlmssp_state); data_blob_free(&auth); TALLOC_FREE(session); return status; } data_blob_free(&auth); *out_security_buffer = spnego_gen_auth_response(smb2req, &auth_out, status, NULL); if (out_security_buffer->data == NULL) { TALLOC_FREE(session->auth_ntlmssp_state); TALLOC_FREE(session); return NT_STATUS_NO_MEMORY; } *out_session_id = session->vuid; if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { return NT_STATUS_MORE_PROCESSING_REQUIRED; } /* We're done - claim the session. */ return smbd_smb2_common_ntlmssp_auth_return(session, smb2req, in_security_mode, in_security_buffer, out_session_flags, out_session_id); }