diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-03-11 07:04:38 +1100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2012-04-03 17:47:32 +0200 |
commit | f3b005e7595288096a4fac220709b7af26aa7b62 (patch) | |
tree | cfa1536ca7647a07c0eb4eababb0f7da149768c0 | |
parent | 893387d25fcc24e906b3b97a49259930f298132d (diff) | |
download | samba-f3b005e7595288096a4fac220709b7af26aa7b62.tar.gz samba-f3b005e7595288096a4fac220709b7af26aa7b62.tar.bz2 samba-f3b005e7595288096a4fac220709b7af26aa7b62.zip |
s3-auth: Order GENSEC mechs by priority, krb5 before NTLMSSP
Otherwise, really simple clients (such as the current ntlm_auth gss-spnego client)
will not select krb5.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r-- | source3/auth/auth_generic.c | 5 | ||||
-rw-r--r-- | source3/libsmb/auth_generic.c | 6 | ||||
-rw-r--r-- | source3/utils/ntlm_auth.c | 5 |
3 files changed, 10 insertions, 6 deletions
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index f99d390edd..c37672620f 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -292,12 +292,13 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, gensec_init(); - gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP); - + /* These need to be in priority order, krb5 before NTLMSSP */ #if defined(HAVE_KRB5) gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops; #endif + gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP); + gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO); diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c index dbd87fff2b..f1510d2e90 100644 --- a/source3/libsmb/auth_generic.c +++ b/source3/libsmb/auth_generic.c @@ -83,13 +83,15 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st return NT_STATUS_NO_MEMORY; } - gensec_settings->backends[idx++] = &gensec_ntlmssp3_client_ops; + gensec_init(); + /* These need to be in priority order, krb5 before NTLMSSP */ #if defined(HAVE_KRB5) gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops; #endif - gensec_init(); + gensec_settings->backends[idx++] = &gensec_ntlmssp3_client_ops; + gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO); diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index bc3535920b..51ea097353 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -1130,12 +1130,13 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx, gensec_init(); - gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP); - + /* These need to be in priority order, krb5 before NTLMSSP */ #if defined(HAVE_KRB5) gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops; #endif + gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP); + gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO); |