From: Stefan Metzmacher Date: Wed, 20 Apr 2016 16:27:34 +0000 (+0200) Subject: auth/ntlmssp: do map to guest checking after the authentication X-Git-Tag: samba-4.2.12~11 X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=30f511f9c6731c58cde5db22753c9a06b65dd3ee auth/ntlmssp: do map to guest checking after the authentication BUG: https://bugzilla.samba.org/show_bug.cgi?id=11847 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Günther Deschner (cherry picked from commit d667520568996471b55007a42b503edbabb1eee0) --- diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c index 6147b140fa5..f3c26c753a5 100644 --- a/auth/ntlmssp/gensec_ntlmssp_server.c +++ b/auth/ntlmssp/gensec_ntlmssp_server.c @@ -130,21 +130,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) ntlmssp_state->allow_lm_key = true; } - if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST) { - /* - * map to guest is not secure anyway, so - * try to make it work and don't try to - * negotiate new_spnego and MIC checking - */ - ntlmssp_state->force_old_spnego = true; - } - - if (role == ROLE_ACTIVE_DIRECTORY_DC) { - /* - * map to guest is not supported on an AD DC. - */ - ntlmssp_state->force_old_spnego = false; - } + ntlmssp_state->force_old_spnego = false; ntlmssp_state->neg_flags = NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION; diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c index 954964196d1..3f13ccb99d5 100644 --- a/auth/ntlmssp/ntlmssp_server.c +++ b/auth/ntlmssp/ntlmssp_server.c @@ -31,6 +31,9 @@ #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_internal.h" #include "auth/common_auth.h" +#include "param/param.h" +#include "param/loadparm.h" +#include "libcli/security/session.h" /** * Determine correct target name flags for reply, given server role @@ -698,6 +701,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state; struct auth4_context *auth_context = gensec_security->auth_context; NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; + struct auth_session_info *session_info = NULL; struct auth_usersupplied_info *user_info; user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info); @@ -734,6 +738,42 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec NT_STATUS_NOT_OK_RETURN(nt_status); + if (lpcfg_map_to_guest(gensec_security->settings->lp_ctx) != NEVER_MAP_TO_GUEST + && auth_context->generate_session_info != NULL) + { + NTSTATUS tmp_status; + + /* + * We need to check if the auth is anonymous or mapped to guest + */ + tmp_status = auth_context->generate_session_info(auth_context, mem_ctx, + gensec_ntlmssp->server_returned_info, + gensec_ntlmssp->ntlmssp_state->user, + AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, + &session_info); + if (!NT_STATUS_IS_OK(tmp_status)) { + /* + * We don't care about failures, + * the worst result is that we try MIC checking + * for a map to guest authentication. + */ + TALLOC_FREE(session_info); + } + } + + if (session_info != NULL) { + if (security_session_user_level(session_info, NULL) < SECURITY_USER) { + /* + * Anonymous and GUEST are not secure anyway. + * avoid new_spnego and MIC checking. + */ + ntlmssp_state->new_spnego = false; + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SIGN; + ntlmssp_state->neg_flags &= ~NTLMSSP_NEGOTIATE_SEAL; + } + TALLOC_FREE(session_info); + } + talloc_steal(mem_ctx, user_session_key->data); talloc_steal(mem_ctx, lm_session_key->data);