s3-ntlm_auth: Wrap kerberos token in GSSAPI

While windows will accept this ticket without the wrapping, it is
nicer to follow the standard and wrap it up in GSSAPI.

This should allow the ntlm_auth gss-spnego-client to talk to
the ntlm_auth gss-spengo server.

Reported by Christof Schmitt <christof.schmitt@us.ibm.com>

Andrew Bartlett

1 files changed, 6 insertions, 2 deletions

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index bbf32f963b..fb38c8e09e 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1940,7 +1940,7 @@ static void manage_client_ntlmssp_targ(struct spnego_data spnego)
 static bool manage_client_krb5_init(struct spnego_data spnego)
 {
 	char *principal;
-	DATA_BLOB tkt, to_server;
+	DATA_BLOB tkt, tkt_wrapped, to_server;
 	DATA_BLOB session_key_krb5 = data_blob_null;
 	struct spnego_data reply;
 	char *reply_base64;
@@ -2024,8 +2024,12 @@ static bool manage_client_krb5_init(struct spnego_data spnego)
 			DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval)));
 			return False;
 		}
+
 	}
 
+	/* wrap that up in a nice GSS-API wrapping */
+	tkt_wrapped = spnego_gen_krb5_wrap(ctx, tkt, TOK_ID_KRB_AP_REQ);
+
 	data_blob_free(&session_key_krb5);
 
 	ZERO_STRUCT(reply);
@@ -2034,7 +2038,7 @@ static bool manage_client_krb5_init(struct spnego_data spnego)
 	reply.negTokenInit.mechTypes = my_mechs;
 	reply.negTokenInit.reqFlags = data_blob_null;
 	reply.negTokenInit.reqFlagsPadding = 0;
-	reply.negTokenInit.mechToken = tkt;
+	reply.negTokenInit.mechToken = tkt_wrapped;
 	reply.negTokenInit.mechListMIC = data_blob_null;
 
 	len = spnego_write_data(ctx, &to_server, &reply);