CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require...

author Stefan Metzmacher <metze@samba.org>

Thu, 27 Oct 2016 08:40:28 +0000 (10:40 +0200)

committer Jule Anger <janger@samba.org>

Mon, 8 Nov 2021 09:52:13 +0000 (10:52 +0100)
author Stefan Metzmacher <metze@samba.org>
Thu, 27 Oct 2016 08:40:28 +0000 (10:40 +0200)
committer Jule Anger <janger@samba.org>
Mon, 8 Nov 2021 09:52:13 +0000 (10:52 +0100)
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c

index 1fb1f0127b966d07c02e3c5b4bfe65679c699755..a79abfaf157b75ed97d4d1f561cbb1cc7d2eae77 100644 (file)
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1443,6 +1443,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
         uint32_t in_sess_key = 0;
         const char *in_native_os = NULL;
         const char *in_native_lm = NULL;
+       enum credentials_use_kerberos krb5_state =
+               cli_credentials_get_kerberos_state(creds);
         NTSTATUS status;
  
         req = tevent_req_create(mem_ctx, &state,
@@ -1484,6 +1486,13 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx,
                 return req;
         }
  
+       if (krb5_state == CRED_MUST_USE_KERBEROS) {
+               DBG_WARNING("Kerberos authentication requested, but "
+                           "the server does not support SPNEGO authentication\n");
+               tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+               return tevent_req_post(req, ev);
+       }
+
         if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) {
                 /*
                  * SessionSetupAndX was introduced by LANMAN 1.0. So we skip
author	Stefan Metzmacher <metze@samba.org>
	Thu, 27 Oct 2016 08:40:28 +0000 (10:40 +0200)
committer	Jule Anger <janger@samba.org>
	Mon, 8 Nov 2021 09:52:13 +0000 (10:52 +0100)