Print this page
NEX-15558 SMB logon fails during 1st second after service start
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-15558 SMB logon fails during 1st second after service start
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-2626 SMB should not offer Kerberos in workgroup mode
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Matt Barden <Matt.Barden@nexenta.com>
NEX-4083 Upstream changes from illumos 5917 and 5995
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
NEX-2485 SMB authentication flood handled poorly
NEX-1810 extended security Kerberos (inbound)
NEX-1995 SMB fails to authenticate domain user with 40 or more domain group memberships
SUP-866 smbd lwps stuck in libsocket recv() for no apparent reason (more lint)
SUP-866 smbd lwps stuck in libsocket recv() for no apparent reason (lint)
SUP-866 smbd lwps stuck in libsocket recv() for no apparent reason
SMB-149 mount.cifs RedHat\Centos 6 doesn't work with default security options
SMB-77 Support raw NTLMSSP
SMB-50 User-mode SMB server (fix elfchk noise)
SMB-56 extended security NTLMSSP, inbound (fix a leak)
SMB-56 extended security NTLMSSP, inbound
*** 8,18 ****
* source. A copy of the CDDL is also available via the Internet at
* http://www.illumos.org/license/CDDL.
*/
/*
! * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
*/
/*
* SMB authentication service
*
--- 8,18 ----
* source. A copy of the CDDL is also available via the Internet at
* http://www.illumos.org/license/CDDL.
*/
/*
! * Copyright 2017 Nexenta Systems, Inc. All rights reserved.
*/
/*
* SMB authentication service
*
*** 101,111 ****
/*
* These are the mechanisms we support, in order of preference.
* But note: it's really the _client's_ preference that matters.
* See &pref in the spnegoIsMechTypeAvailable() calls below.
* Careful with this table; the code below knows its format and
! * may skip the fist two entries to ommit Kerberos.
*/
static const spnego_mech_handler_t
mech_table[] = {
{
spnego_mech_oid_Kerberos_V5,
--- 101,111 ----
/*
* These are the mechanisms we support, in order of preference.
* But note: it's really the _client's_ preference that matters.
* See &pref in the spnegoIsMechTypeAvailable() calls below.
* Careful with this table; the code below knows its format and
! * may skip the fist two entries to omit Kerberos.
*/
static const spnego_mech_handler_t
mech_table[] = {
{
spnego_mech_oid_Kerberos_V5,
*** 547,558 ****
}
xdr_destroy(&xdrs);
token = smbd_user_auth_logon(&user_info);
xdr_free(smb_logon_xdr, (char *)&user_info);
! if (token == NULL)
! return (NT_STATUS_ACCESS_DENIED);
ctx->ctx_token = token;
return (rc);
}
--- 547,562 ----
}
xdr_destroy(&xdrs);
token = smbd_user_auth_logon(&user_info);
xdr_free(smb_logon_xdr, (char *)&user_info);
! if (token == NULL) {
! rc = user_info.lg_status;
! if (rc == 0) /* should not happen */
! rc = NT_STATUS_INTERNAL_ERROR;
! return (rc);
! }
ctx->ctx_token = token;
return (rc);
}
*** 629,639 ****
* support. Unfortunately, the spnego code does not have an
* interface to walk the token's mech list, so we have to
* ask about each mech type we know and keep track of which
* was earliest in the token's mech list.
*
! * Also, skip the Kerberos mechanisms in workgroup mode.
*/
idx = 0;
mh = mech_table;
if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN) {
idx = MECH_TBL_IDX_NTLMSSP;
--- 633,643 ----
* support. Unfortunately, the spnego code does not have an
* interface to walk the token's mech list, so we have to
* ask about each mech type we know and keep track of which
* was earliest in the token's mech list.
*
! * Also, if not in domain mode, skip the Kerberos.
*/
idx = 0;
mh = mech_table;
if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN) {
idx = MECH_TBL_IDX_NTLMSSP;
*** 779,789 ****
*/
if (ctx->ctx_itoktype == SPNEGO_TOKEN_INIT) {
/* tell the client the selected mech. */
oid = ctx->ctx_mech_oid;
} else {
! /* Ommit the "supported mech." field. */
oid = spnego_mech_oid_NotUsed;
}
/*
* Determine the spnego "negresult" from the
--- 783,793 ----
*/
if (ctx->ctx_itoktype == SPNEGO_TOKEN_INIT) {
/* tell the client the selected mech. */
oid = ctx->ctx_mech_oid;
} else {
! /* Omit the "supported mech." field. */
oid = spnego_mech_oid_NotUsed;
}
/*
* Determine the spnego "negresult" from the
*** 913,923 ****
}
/*
* Initialization time code to figure out what mechanisms we support.
* Careful with this table; the code below knows its format and may
! * skip the fist two entries to ommit Kerberos.
*/
static SPNEGO_MECH_OID MechTypeList[] = {
spnego_mech_oid_Kerberos_V5,
spnego_mech_oid_Kerberos_V5_Legacy,
#define MECH_OID_IDX_NTLMSSP 2
--- 917,927 ----
}
/*
* Initialization time code to figure out what mechanisms we support.
* Careful with this table; the code below knows its format and may
! * skip the fist two entries to omit Kerberos.
*/
static SPNEGO_MECH_OID MechTypeList[] = {
spnego_mech_oid_Kerberos_V5,
spnego_mech_oid_Kerberos_V5_Legacy,
#define MECH_OID_IDX_NTLMSSP 2
*** 944,954 ****
uint32_t *pBufLen = &kcfg->skc_negtok_len;
ulong_t tLen = sizeof (kcfg->skc_negtok);
int rc;
/*
! * In workgroup mode, skip Kerberos.
*/
if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN) {
mechList += MECH_OID_IDX_NTLMSSP;
mechCnt -= MECH_OID_IDX_NTLMSSP;
}
--- 948,958 ----
uint32_t *pBufLen = &kcfg->skc_negtok_len;
ulong_t tLen = sizeof (kcfg->skc_negtok);
int rc;
/*
! * If not in domain mode, skip Kerberos.
*/
if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN) {
mechList += MECH_OID_IDX_NTLMSSP;
mechCnt -= MECH_OID_IDX_NTLMSSP;
}