auth/kerberos: Fall back to gsskrb5_get_subkey if we did not get the key type

The key type OID is optional, but we require that information to determine if
we should use NEW_SPNEGO.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Mar  8 11:53:57 CET 2012 on sn-devel-104

1 files changed, 23 insertions, 4 deletions

diff --git a/auth/kerberos/gssapi_pac.c b/auth/kerberos/gssapi_pac.c
index 8a4d8c3be1..1a9d6aa26e 100644
--- a/auth/kerberos/gssapi_pac.c
+++ b/auth/kerberos/gssapi_pac.c
@@ -223,10 +223,29 @@ NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx,
 		char *oid;
 		char *p, *q = NULL;
 		
-		if (set->count < 2
-		    || memcmp(set->elements[1].value,
-			      gse_sesskeytype_oid.elements,
-			      gse_sesskeytype_oid.length) != 0) {
+		if (set->count < 2) {
+
+#ifdef HAVE_GSSKRB5_GET_SUBKEY
+			krb5_keyblock *subkey;
+			gss_maj = gsskrb5_get_subkey(&gss_min,
+						     gssapi_context,
+						     &subkey);
+			if (gss_maj == 0) {
+				*keytype = KRB5_KEY_TYPE(subkey);
+				krb5_free_keyblock(NULL /* should be krb5_context */, subkey);
+			} else
+#else
+			{
+				*keytype = 0;
+			}
+#endif
+			gss_maj = gss_release_buffer_set(&gss_min, &set);
+	
+			return NT_STATUS_OK;
+
+		} else if (memcmp(set->elements[1].value,
+				  gse_sesskeytype_oid.elements,
+				  gse_sesskeytype_oid.length) != 0) {
 			/* Perhaps a non-krb5 session key */
 			*keytype = 0;
 			gss_maj = gss_release_buffer_set(&gss_min, &set);