- goto out;
- }
-
-#ifdef HAVE_KRB5
- if (kerb_mech && ((lp_security()==SEC_ADS) ||
- USE_KERBEROS_KEYTAB) ) {
- status = smbd_smb2_session_setup_krb5(session,
- smb2req,
- in_security_mode,
- &secblob_in,
- kerb_mech,
- out_session_flags,
- out_security_buffer,
- out_session_id);
-
- goto out;
- }
-#endif
-
- if (kerb_mech) {
- /* The mechtoken is a krb5 ticket, but
- * we need to fall back to NTLM. */
-
- DEBUG(3,("smb2: Got krb5 ticket in SPNEGO "
- "but set to downgrade to NTLMSSP\n"));
-
- status = NT_STATUS_MORE_PROCESSING_REQUIRED;
- } else {
- /* Fall back to NTLMSSP. */
- status = auth_ntlmssp_prepare(session->sconn->remote_address,
- &session->auth_ntlmssp_state);
- if (!NT_STATUS_IS_OK(status)) {
- goto out;
- }
-
- auth_ntlmssp_want_feature(session->auth_ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
-
- status = auth_ntlmssp_start(session->auth_ntlmssp_state);
- if (!NT_STATUS_IS_OK(status)) {
- goto out;
- }
-
- status = auth_ntlmssp_update(session->auth_ntlmssp_state,
- talloc_tos(),
- secblob_in,
- &chal_out);
- }
-
- if (!NT_STATUS_IS_OK(status) &&
- !NT_STATUS_EQUAL(status,
- NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- goto out;
- }
-
- *out_security_buffer = spnego_gen_auth_response(smb2req,
- &chal_out,
- status,
- OID_NTLMSSP);
- if (out_security_buffer->data == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto out;
- }
- *out_session_id = session->vuid;
-
- out:
-
- data_blob_free(&secblob_in);
- data_blob_free(&chal_out);
- TALLOC_FREE(kerb_mech);
- if (!NT_STATUS_IS_OK(status) &&
- !NT_STATUS_EQUAL(status,
- NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- TALLOC_FREE(session->auth_ntlmssp_state);