From efb29227fa46e2c9420b3158ef7422aea4f5846e Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 21 May 2010 12:08:18 -0700
Subject: [PATCH] Make krb5 over SMB2 identical to the way we handle it in
 SMB1.

Jeremy.
---
 source3/smbd/smb2_sesssetup.c | 52 +++++++++++++++++++++++++++++++++--
 1 file changed, 50 insertions(+), 2 deletions(-)

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index ed5818951dde..92e77a5ff2b8 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -516,7 +516,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 
 static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
 					struct smbd_smb2_request *smb2req,
-					uint8_t in_security_flags,
+					uint8_t in_security_mode,
 					DATA_BLOB in_security_buffer,
 					uint16_t *out_session_flags,
 					DATA_BLOB *out_security_buffer,
@@ -542,7 +542,7 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
 				USE_KERBEROS_KEYTAB) ) {
 		status = smbd_smb2_session_setup_krb5(session,
 				smb2req,
-				in_security_flags,
+				in_security_mode,
 				&secblob_in,
 				kerb_mech,
 				out_session_flags,
@@ -706,6 +706,54 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
+	if (auth.data[0] == ASN1_APPLICATION(0)) {
+		/* Might be a second negTokenTarg packet */
+		DATA_BLOB secblob_in = data_blob_null;
+		char *kerb_mech = NULL;
+
+		status = parse_spnego_mechanisms(in_security_buffer,
+				&secblob_in, &kerb_mech);
+		if (!NT_STATUS_IS_OK(status)) {
+			TALLOC_FREE(session);
+			return status;
+		}
+
+#ifdef HAVE_KRB5
+		if (kerb_mech && ((lp_security()==SEC_ADS) ||
+					USE_KERBEROS_KEYTAB) ) {
+			status = smbd_smb2_session_setup_krb5(session,
+					smb2req,
+					in_security_mode,
+					&secblob_in,
+					kerb_mech,
+					out_session_flags,
+					out_security_buffer,
+					out_session_id);
+
+			data_blob_free(&secblob_in);
+			SAFE_FREE(kerb_mech);
+			if (!NT_STATUS_IS_OK(status)) {
+				TALLOC_FREE(session);
+			}
+			return status;
+		}
+#endif
+
+		/* Can't blunder into NTLMSSP auth if we have
+		 * a krb5 ticket. */
+
+		if (kerb_mech) {
+			DEBUG(3,("smb2: network "
+				"misconfiguration, client sent us a "
+				"krb5 ticket and kerberos security "
+				"not enabled\n"));
+			TALLOC_FREE(session);
+			data_blob_free(&secblob_in);
+			SAFE_FREE(kerb_mech);
+			return NT_STATUS_LOGON_FAILURE;
+		}
+	}
+
 	status = auth_ntlmssp_update(session->auth_ntlmssp_state,
 				     auth,
 				     &auth_out);
-- 
2.34.1