From: Stefan Metzmacher Date: Thu, 24 Nov 2016 08:12:59 +0000 (+0100) Subject: CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if... X-Git-Tag: ldb-2.5.0~114 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=93dad333a22a3b46217072333491b87621db01f5;p=thirdparty%2Fsamba.git CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos We should not send NTLM[v2] data on the wire if the user asked for kerberos only. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 Signed-off-by: Stefan Metzmacher --- diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c index 51e121bdce6..391ee081fe6 100644 --- a/source4/libcli/smb_composite/sesssetup.c +++ b/source4/libcli/smb_composite/sesssetup.c @@ -622,6 +622,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se NTSTATUS status; enum smb_encryption_setting encryption_state = cli_credentials_get_smb_encryption(io->in.credentials); + enum credentials_use_kerberos krb5_state = + cli_credentials_get_kerberos_state(io->in.credentials); c = composite_create(session, session->transport->ev); if (c == NULL) return NULL; @@ -642,6 +644,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se /* no session setup at all in earliest protocol varients */ if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) { + if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + return c; + } ZERO_STRUCT(io->out); composite_done(c); return c; @@ -649,9 +655,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se /* see what session setup interface we will use */ if (session->transport->negotiate.protocol < PROTOCOL_NT1) { + if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + return c; + } status = session_setup_old(c, session, io, &state->req); } else if (!session->transport->options.use_spnego || !(io->in.capabilities & CAP_EXTENDED_SECURITY)) { + if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + return c; + } status = session_setup_nt1(c, session, io, &state->req); } else { struct tevent_req *subreq = NULL;