auth/ntlmssp: do map to guest checking after the authentication

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit d667520568996471b55007a42b503edbabb1eee0)

diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index 6147b140fa5847c3cb11f558744e2615127c0bf5..f3c26c753a5381430d2ce261903ddd015edd1e47 100644 (file)
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -130,21 +130,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
                ntlmssp_state->allow_lm_key = true;
        }
 
-       if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) {
-               /*
-                * map to guest is not secure anyway, so
-                * try to make it work and don't try to
-                * negotiate new_spnego and MIC checking
-                */
-               ntlmssp_state->force_old_spnego = true;
-       }
-
-       if (role == ROLE_ACTIVE_DIRECTORY_DC) {
-               /*
-                * map to guest is not supported on an AD DC.
-                */
-               ntlmssp_state->force_old_spnego = false;
-       }
+       ntlmssp_state->force_old_spnego = false;
 
        ntlmssp_state->neg_flags =
                NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION;

diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 954964196d17c56798e0bd31a70d868bf59fd8b0..3f13ccb99d5f68ee0110e1a2d9a60605cab1ce7c 100644 (file)
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -31,6 +31,9 @@
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_internal.h"
 #include "auth/common_auth.h"
+#include "param/param.h"
+#include "param/loadparm.h"
+#include "libcli/security/session.h"
 
 /**
  * Determine correct target name flags for reply, given server role
@@ -698,6 +701,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
        struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
        struct auth4_context *auth_context = gensec_security->auth_context;
        NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
+       struct auth_session_info *session_info = NULL;
        struct auth_usersupplied_info *user_info;
 
        user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
@@ -734,6 +738,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec
 
        NT_STATUS_NOT_OK_RETURN(nt_status);
 
+       if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST
+           && auth_context->generate_session_info != NULL)
+       {
+               NTSTATUS tmp_status;
+
+               /*
+                * We need to check if the auth is anonymous or mapped to guest
+                */
+               tmp_status = auth_context->generate_session_info(auth_context, mem_ctx,
+                                                                gensec_ntlmssp->server_returned_info,
+                                                                gensec_ntlmssp->ntlmssp_state->user,
+                                                                AUTH_SESSION_INFO_SIMPLE_PRIVILEGES,
+                                                                &session_info);
+               if (!NT_STATUS_IS_OK(tmp_status)) {
+                       /*
+                        * We don't care about failures,
+                        * the worst result is that we try MIC checking
+                        * for a map to guest authentication.
+                        */
+                       TALLOC_FREE(session_info);
+               }
+       }
+
+       if (session_info != NULL) {
+               if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
+                       /*
+                        * Anonymous and GUEST are not secure anyway.
+                        * avoid new_spnego and MIC checking.
+                        */
+                       ntlmssp_state->new_spnego = false;
+                       ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN;
+                       ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL;
+               }
+               TALLOC_FREE(session_info);
+       }
+
        talloc_steal(mem_ctx, user_session_key->data);
        talloc_steal(mem_ctx, lm_session_key->data);