summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2007-05-15 13:42:53 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:22:05 -0500
commit83a7d9558b5eb686863d44bd7ef00a9e5926edfd (patch)
tree123fdc1716400af3ef0560e45551c2d922431de6
parent8f9369f2e627cf2da4f5902be570200a9d2b1a67 (diff)
downloadsamba-83a7d9558b5eb686863d44bd7ef00a9e5926edfd.tar.gz
samba-83a7d9558b5eb686863d44bd7ef00a9e5926edfd.tar.bz2
samba-83a7d9558b5eb686863d44bd7ef00a9e5926edfd.zip
r22901: When an AD account has UF_DONT_REQUIRE_PREAUTH set we need to fallback to ntlm
in the kerberized PAM_AUTH. Guenther (This used to be commit ef8f0d35040390f4bb49aab24ca4aad90ea47bc1)
-rw-r--r--source3/nsswitch/winbindd_pam.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index bd2f82fb98..c82ac2b0ba 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -566,6 +566,14 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
http_timestring(ticket_lifetime), (int)ticket_lifetime,
http_timestring(renewal_until), (int)renewal_until));
+ /* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
+ * in that case fallback to NTLM - gd */
+
+ if ((ticket_lifetime == 0) && (renewal_until == 0)) {
+ result = NT_STATUS_INVALID_LOGON_TYPE;
+ goto failed;
+ }
+
client_princ = talloc_strdup(state->mem_ctx, global_myname());
if (client_princ == NULL) {
result = NT_STATUS_NO_MEMORY;