Print this page
NEX-15558 SMB logon fails during 1st second after service start
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-15558 SMB logon fails during 1st second after service start
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Evan Layton <evan.layton@nexenta.com>
NEX-2626 SMB should not offer Kerberos in workgroup mode
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Matt Barden <Matt.Barden@nexenta.com>
NEX-4083 Upstream changes from illumos 5917 and 5995
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Kevin Crowe <kevin.crowe@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
NEX-2485 SMB authentication flood handled poorly
NEX-1810 extended security Kerberos (inbound)
NEX-1995 SMB fails to authenticate domain user with 40 or more domain group memberships
SUP-866 smbd lwps stuck in libsocket recv() for no apparent reason (more lint)
SUP-866 smbd lwps stuck in libsocket recv() for no apparent reason (lint)
SUP-866 smbd lwps stuck in libsocket recv() for no apparent reason
SMB-149 mount.cifs RedHat\Centos 6 doesn't work with default security options
SMB-77 Support raw NTLMSSP
SMB-50 User-mode SMB server (fix elfchk noise)
SMB-56 extended security NTLMSSP, inbound (fix a leak)
SMB-56 extended security NTLMSSP, inbound
@@ -8,11 +8,11 @@
* source. A copy of the CDDL is also available via the Internet at
* http://www.illumos.org/license/CDDL.
*/
/*
- * Copyright 2014 Nexenta Systems, Inc. All rights reserved.
+ * Copyright 2017 Nexenta Systems, Inc. All rights reserved.
*/
/*
* SMB authentication service
*
@@ -101,11 +101,11 @@
/*
* These are the mechanisms we support, in order of preference.
* But note: it's really the _client's_ preference that matters.
* See &pref in the spnegoIsMechTypeAvailable() calls below.
* Careful with this table; the code below knows its format and
- * may skip the fist two entries to ommit Kerberos.
+ * may skip the fist two entries to omit Kerberos.
*/
static const spnego_mech_handler_t
mech_table[] = {
{
spnego_mech_oid_Kerberos_V5,
@@ -547,12 +547,16 @@
}
xdr_destroy(&xdrs);
token = smbd_user_auth_logon(&user_info);
xdr_free(smb_logon_xdr, (char *)&user_info);
- if (token == NULL)
- return (NT_STATUS_ACCESS_DENIED);
+ if (token == NULL) {
+ rc = user_info.lg_status;
+ if (rc == 0) /* should not happen */
+ rc = NT_STATUS_INTERNAL_ERROR;
+ return (rc);
+ }
ctx->ctx_token = token;
return (rc);
}
@@ -629,11 +633,11 @@
* support. Unfortunately, the spnego code does not have an
* interface to walk the token's mech list, so we have to
* ask about each mech type we know and keep track of which
* was earliest in the token's mech list.
*
- * Also, skip the Kerberos mechanisms in workgroup mode.
+ * Also, if not in domain mode, skip the Kerberos.
*/
idx = 0;
mh = mech_table;
if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN) {
idx = MECH_TBL_IDX_NTLMSSP;
@@ -779,11 +783,11 @@
*/
if (ctx->ctx_itoktype == SPNEGO_TOKEN_INIT) {
/* tell the client the selected mech. */
oid = ctx->ctx_mech_oid;
} else {
- /* Ommit the "supported mech." field. */
+ /* Omit the "supported mech." field. */
oid = spnego_mech_oid_NotUsed;
}
/*
* Determine the spnego "negresult" from the
@@ -913,11 +917,11 @@
}
/*
* Initialization time code to figure out what mechanisms we support.
* Careful with this table; the code below knows its format and may
- * skip the fist two entries to ommit Kerberos.
+ * skip the fist two entries to omit Kerberos.
*/
static SPNEGO_MECH_OID MechTypeList[] = {
spnego_mech_oid_Kerberos_V5,
spnego_mech_oid_Kerberos_V5_Legacy,
#define MECH_OID_IDX_NTLMSSP 2
@@ -944,11 +948,11 @@
uint32_t *pBufLen = &kcfg->skc_negtok_len;
ulong_t tLen = sizeof (kcfg->skc_negtok);
int rc;
/*
- * In workgroup mode, skip Kerberos.
+ * If not in domain mode, skip Kerberos.
*/
if (smb_config_get_secmode() != SMB_SECMODE_DOMAIN) {
mechList += MECH_OID_IDX_NTLMSSP;
mechCnt -= MECH_OID_IDX_NTLMSSP;
}