51 lines
1.7 KiB
Diff
51 lines
1.7 KiB
Diff
From 721e40dd379a85e153c31b294d1054eeb3718aa0 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Thu, 27 Oct 2016 10:40:28 +0200
|
|
Subject: [PATCH 255/266] CVE-2016-2124: s3:libsmb: don't fallback to non
|
|
|
|
Conflict: NA
|
|
Reference: https://git.samba.org/samba.git/?p=samba.git;a=patch;h=721e40dd379a85e153c31b294d1054eeb3718aa0
|
|
|
|
spnego authentication if we require kerberos
|
|
|
|
We should not send NTLM[v2] nor plaintext data on the wire if the user
|
|
asked for kerberos only.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
---
|
|
source3/libsmb/cliconnect.c | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
|
|
index 1fb1f0127b9..a79abfaf157 100644
|
|
--- a/source3/libsmb/cliconnect.c
|
|
+++ b/source3/libsmb/cliconnect.c
|
|
@@ -1443,6 +1443,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
|
|
uint32_t in_sess_key = 0;
|
|
const char *in_native_os = NULL;
|
|
const char *in_native_lm = NULL;
|
|
+ krb5_state =
|
|
+ cli_credentials_get_kerberos_state(creds);
|
|
NTSTATUS status;
|
|
|
|
req = tevent_req_create(mem_ctx, &state,
|
|
@@ -1484,6 +1486,13 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
|
|
return req;
|
|
}
|
|
|
|
+ if (krb5_state == CRED_MUST_USE_KERBEROS) {
|
|
+ DBG_WARNING("Kerberos authentication requested, but "
|
|
+ "the server does not support SPNEGO authentication\n");
|
|
+ tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
|
|
+ return tevent_req_post(req, ev);
|
|
+ }
|
|
+
|
|
if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) {
|
|
/*
|
|
* SessionSetupAndX was introduced by LANMAN 1.0. So we skip
|
|
--
|
|
2.23.0
|
|
|