summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2003-06-10 03:47:42 +0000
committerAndrew Tridgell <tridge@samba.org>2003-06-10 03:47:42 +0000
commit2cfc19f89939353e81bc0c00c3fe084a68bba20f (patch)
treea2357fa566412a572b78bad1263ee28d0bd8b3eb
parent524da855ff764eba7aa88624259d359e0cd406ac (diff)
downloadsamba-2cfc19f89939353e81bc0c00c3fe084a68bba20f.tar.gz
samba-2cfc19f89939353e81bc0c00c3fe084a68bba20f.tar.bz2
samba-2cfc19f89939353e81bc0c00c3fe084a68bba20f.zip
added an auth flag that indicates if we should be allowed to fallback
to NTLMSSP for SASL if krb5 fails. This is important as otherwise the admin may think that a join has succeeeded when kerberos is actually broken. (This used to be commit 23a6ea385c4aea208adf36f039244bee14f56a33)
-rw-r--r--source3/include/ads.h1
-rw-r--r--source3/libads/sasl.c5
2 files changed, 5 insertions, 1 deletions
diff --git a/source3/include/ads.h b/source3/include/ads.h
index 7f7568d8b0..0961c9581c 100644
--- a/source3/include/ads.h
+++ b/source3/include/ads.h
@@ -205,6 +205,7 @@ typedef void **ADS_MODLIST;
#define ADS_AUTH_NO_BIND 0x02
#define ADS_AUTH_ANON_BIND 0x04
#define ADS_AUTH_SIMPLE_BIND 0x08
+#define ADS_AUTH_ALLOW_NTLMSSP 0x10
/* Kerberos environment variable names */
#define KRB5_ENV_CCNAME "KRB5CCNAME"
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 29d4533a54..598208b17f 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -198,8 +198,11 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
if (ads_kinit_password(ads) == 0) {
status = ads_sasl_spnego_krb5_bind(ads, principal);
}
- if (ADS_ERR_OK(status))
+ /* only fallback to NTLMSSP if allowed */
+ if (ADS_ERR_OK(status) ||
+ !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
return status;
+ }
}
#endif