#include "includes.h"
#include "libsmb/libsmb.h"
+#include "libsmb/namequery.h"
#include "auth_info.h"
#include "../libcli/auth/libcli_auth.h"
#include "../libcli/auth/spnego.h"
#include "../libcli/smb/smb_seal.h"
#include "lib/param/param.h"
#include "../libcli/smb/smb2_negotiate_context.h"
+#include "libads/krb5_errs.h"
#define STAR_SMBSERVER "*SMBSERVER"
auth_requested = cli_credentials_authentication_requested(creds);
if (auth_requested) {
+ errno = 0;
user_principal = cli_credentials_get_principal(creds, frame);
- if (user_principal == NULL) {
+ if (errno != 0) {
TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
try_kerberos = true;
}
+ if (user_principal == NULL) {
+ try_kerberos = false;
+ }
+
if (target_hostname == NULL) {
try_kerberos = false;
} else if (is_ipaddress(target_hostname)) {
0 /* no time correction for now */,
NULL);
if (ret != 0) {
- int dbglvl = DBGLVL_WARNING;
+ int dbglvl = DBGLVL_NOTICE;
if (krb5_state == CRED_MUST_USE_KERBEROS) {
dbglvl = DBGLVL_ERR;
cli_session_setup_gensec_local_next(req);
}
+static void cli_session_dump_keys(TALLOC_CTX *mem_ctx,
+ struct smbXcli_session *session,
+ DATA_BLOB session_key)
+{
+ NTSTATUS status;
+ DATA_BLOB sig = data_blob_null;
+ DATA_BLOB app = data_blob_null;
+ DATA_BLOB enc = data_blob_null;
+ DATA_BLOB dec = data_blob_null;
+ uint64_t sid = smb2cli_session_current_id(session);
+
+ status = smb2cli_session_signing_key(session, mem_ctx, &sig);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+ status = smbXcli_session_application_key(session, mem_ctx, &app);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+ status = smb2cli_session_encryption_key(session, mem_ctx, &enc);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+ status = smb2cli_session_decryption_key(session, mem_ctx, &dec);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ DEBUG(0, ("debug encryption: dumping generated session keys\n"));
+ DEBUGADD(0, ("Session Id "));
+ dump_data(0, (uint8_t*)&sid, sizeof(sid));
+ DEBUGADD(0, ("Session Key "));
+ dump_data(0, session_key.data, session_key.length);
+ DEBUGADD(0, ("Signing Key "));
+ dump_data(0, sig.data, sig.length);
+ DEBUGADD(0, ("App Key "));
+ dump_data(0, app.data, app.length);
+
+ /* In client code, ServerIn is the encryption key */
+
+ DEBUGADD(0, ("ServerIn Key "));
+ dump_data(0, enc.data, enc.length);
+ DEBUGADD(0, ("ServerOut Key "));
+ dump_data(0, dec.data, dec.length);
+
+out:
+ data_blob_clear_free(&sig);
+ data_blob_clear_free(&app);
+ data_blob_clear_free(&enc);
+ data_blob_clear_free(&dec);
+}
+
static void cli_session_setup_gensec_ready(struct tevent_req *req)
{
struct cli_session_setup_gensec_state *state =
if (tevent_req_nterror(req, status)) {
return;
}
+ if (smbXcli_conn_protocol(state->cli->conn) >= PROTOCOL_SMB3_00
+ && lp_debug_encryption())
+ {
+ cli_session_dump_keys(state, session, state->session_key);
+ }
} else {
struct smbXcli_session *session = state->cli->smb1.session;
bool active;
status = cli_session_creds_prepare_krb5(cli, creds);
if (tevent_req_nterror(req, status)) {
- return tevent_req_post(req, ev);;
+ return tevent_req_post(req, ev);
}
subreq = cli_session_setup_gensec_send(state, ev, cli, creds,
}
struct cli_connect_sock_state {
+ struct sockaddr_storage *addrs;
+ size_t num_addrs;
const char **called_names;
const char **calling_names;
int *called_types;
+ size_t chosen_index;
int fd;
uint16_t port;
};
{
struct tevent_req *req, *subreq;
struct cli_connect_sock_state *state;
- const char *prog;
struct sockaddr_storage *addrs;
- unsigned i, num_addrs;
+ size_t i;
NTSTATUS status;
req = tevent_req_create(mem_ctx, &state,
return NULL;
}
- prog = getenv("LIBSMB_PROG");
- if (prog != NULL) {
- state->fd = sock_exec(prog);
- if (state->fd == -1) {
- status = map_nt_error_from_unix(errno);
- tevent_req_nterror(req, status);
- } else {
- state->port = 0;
- tevent_req_done(req);
- }
- return tevent_req_post(req, ev);
- }
-
if ((pss == NULL) || is_zero_addr(pss)) {
/*
*/
status = resolve_name_list(state, host, name_type,
- &addrs, &num_addrs);
+ &state->addrs, &state->num_addrs);
if (!NT_STATUS_IS_OK(status)) {
tevent_req_nterror(req, status);
return tevent_req_post(req, ev);
}
} else {
- addrs = talloc_array(state, struct sockaddr_storage, 1);
- if (tevent_req_nomem(addrs, req)) {
+ state->addrs = talloc_array(state, struct sockaddr_storage, 1);
+ if (tevent_req_nomem(state->addrs, req)) {
return tevent_req_post(req, ev);
}
- addrs[0] = *pss;
- num_addrs = 1;
+ state->addrs[0] = *pss;
+ state->num_addrs = 1;
}
state->called_names = talloc_array(state, const char *, num_addrs);
if (tevent_req_nomem(state->calling_names, req)) {
return tevent_req_post(req, ev);
}
- for (i=0; i<num_addrs; i++) {
+ for (i=0; i<state->num_addrs; i++) {
state->called_names[i] = host;
state->called_types[i] = name_type;
state->calling_names[i] = myname;
}
subreq = smbsock_any_connect_send(
- state, ev, addrs, state->called_names, state->called_types,
- state->calling_names, NULL, num_addrs, port);
+ state, ev, state->addrs,
+ state->called_names, state->called_types, state->calling_names,
+ NULL, state->num_addrs, port);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
req, struct cli_connect_sock_state);
NTSTATUS status;
- status = smbsock_any_connect_recv(subreq, &state->fd, NULL,
+ status = smbsock_any_connect_recv(subreq, &state->fd,
+ &state->chosen_index,
&state->port);
TALLOC_FREE(subreq);
if (tevent_req_nterror(req, status)) {
}
static NTSTATUS cli_connect_sock_recv(struct tevent_req *req,
- int *pfd, uint16_t *pport)
+ int *pfd,
+ struct sockaddr_storage *pss,
+ uint16_t *pport)
{
struct cli_connect_sock_state *state = tevent_req_data(
req, struct cli_connect_sock_state);
return status;
}
*pfd = state->fd;
+ *pss = state->addrs[state->chosen_index];
*pport = state->port;
return NT_STATUS_OK;
}
state->max_protocol = MIN(state->max_protocol, PROTOCOL_NT1);
}
+ if (flags & CLI_FULL_CONNECTION_DISABLE_SMB1) {
+ state->min_protocol = MAX(state->max_protocol, PROTOCOL_SMB2_02);
+ state->max_protocol = MAX(state->max_protocol, PROTOCOL_LATEST);
+ }
+
subreq = cli_connect_nb_send(state, ev, dest_host, dest_ss, port,
0x20, my_name, signing_state, flags);
if (tevent_req_nomem(subreq, req)) {
flags |= CLI_FULL_CONNECTION_USE_KERBEROS;
}
+ flags |= CLI_FULL_CONNECTION_FORCE_SMB1;
+
nt_status = cli_full_connection(&cli, NULL, server, server_ss, 0, "IPC$", "IPC",
get_cmdline_auth_info_username(user_info),
lp_workgroup(),