s4-gensec: fixed a client side bug in GENSEC/SASL/SSF negotiation

this is the client side equivalent change for the previous fix

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

1 files changed, 10 insertions, 7 deletions

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index a864bca49b..ecf2a73b1f 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -632,18 +632,21 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 			gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_proposed, 0), 
 								     gensec_gssapi_state->max_wrap_buf_size);
 			gensec_gssapi_state->sasl_protection = 0;
-			if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-				if (security_supported & NEG_SEAL) {
+			if (security_supported & NEG_SEAL) {
+				if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
 					gensec_gssapi_state->sasl_protection |= NEG_SEAL;
 				}
-			} else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-				if (security_supported & NEG_SIGN) {
+			}
+			if (security_supported & NEG_SIGN) {
+				if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
 					gensec_gssapi_state->sasl_protection |= NEG_SIGN;
 				}
-			} else if (security_supported & NEG_NONE) {
+			}
+			if (security_supported & NEG_NONE) {
 				gensec_gssapi_state->sasl_protection |= NEG_NONE;
-			} else {
-				DEBUG(1, ("Remote server does not support unprotected connections"));
+			}
+			if (gensec_gssapi_state->sasl_protection == 0) {
+				DEBUG(1, ("Remote server does not support unprotected connections\n"));
 				return NT_STATUS_ACCESS_DENIED;
 			}