diff options
author | Günther Deschner <gd@samba.org> | 2007-05-15 13:42:53 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:22:05 -0500 |
commit | 83a7d9558b5eb686863d44bd7ef00a9e5926edfd (patch) | |
tree | 123fdc1716400af3ef0560e45551c2d922431de6 | |
parent | 8f9369f2e627cf2da4f5902be570200a9d2b1a67 (diff) | |
download | samba-83a7d9558b5eb686863d44bd7ef00a9e5926edfd.tar.gz samba-83a7d9558b5eb686863d44bd7ef00a9e5926edfd.tar.bz2 samba-83a7d9558b5eb686863d44bd7ef00a9e5926edfd.zip |
r22901: When an AD account has UF_DONT_REQUIRE_PREAUTH set we need to fallback to ntlm
in the kerberized PAM_AUTH.
Guenther
(This used to be commit ef8f0d35040390f4bb49aab24ca4aad90ea47bc1)
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index bd2f82fb98..c82ac2b0ba 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -566,6 +566,14 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, http_timestring(ticket_lifetime), (int)ticket_lifetime, http_timestring(renewal_until), (int)renewal_until)); + /* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set, + * in that case fallback to NTLM - gd */ + + if ((ticket_lifetime == 0) && (renewal_until == 0)) { + result = NT_STATUS_INVALID_LOGON_TYPE; + goto failed; + } + client_princ = talloc_strdup(state->mem_ctx, global_myname()); if (client_princ == NULL) { result = NT_STATUS_NO_MEMORY; |