summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-03-11 07:04:38 +1100
committerStefan Metzmacher <metze@samba.org>2012-04-03 17:47:32 +0200
commitf3b005e7595288096a4fac220709b7af26aa7b62 (patch)
treecfa1536ca7647a07c0eb4eababb0f7da149768c0
parent893387d25fcc24e906b3b97a49259930f298132d (diff)
downloadsamba-f3b005e7595288096a4fac220709b7af26aa7b62.tar.gz
samba-f3b005e7595288096a4fac220709b7af26aa7b62.tar.bz2
samba-f3b005e7595288096a4fac220709b7af26aa7b62.zip
s3-auth: Order GENSEC mechs by priority, krb5 before NTLMSSP
Otherwise, really simple clients (such as the current ntlm_auth gss-spnego client) will not select krb5. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r--source3/auth/auth_generic.c5
-rw-r--r--source3/libsmb/auth_generic.c6
-rw-r--r--source3/utils/ntlm_auth.c5
3 files changed, 10 insertions, 6 deletions
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index f99d390edd..c37672620f 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -292,12 +292,13 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
gensec_init();
- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
-
+ /* These need to be in priority order, krb5 before NTLMSSP */
#if defined(HAVE_KRB5)
gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
#endif
+ gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
+
gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
GENSEC_OID_SPNEGO);
diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
index dbd87fff2b..f1510d2e90 100644
--- a/source3/libsmb/auth_generic.c
+++ b/source3/libsmb/auth_generic.c
@@ -83,13 +83,15 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
return NT_STATUS_NO_MEMORY;
}
- gensec_settings->backends[idx++] = &gensec_ntlmssp3_client_ops;
+ gensec_init();
+ /* These need to be in priority order, krb5 before NTLMSSP */
#if defined(HAVE_KRB5)
gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
#endif
- gensec_init();
+ gensec_settings->backends[idx++] = &gensec_ntlmssp3_client_ops;
+
gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
GENSEC_OID_SPNEGO);
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index bc3535920b..51ea097353 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1130,12 +1130,13 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx,
gensec_init();
- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
-
+ /* These need to be in priority order, krb5 before NTLMSSP */
#if defined(HAVE_KRB5)
gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
#endif
+ gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
+
gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
GENSEC_OID_SPNEGO);