added an auth flag that indicates if we should be allowed to fallback

to NTLMSSP for SASL if krb5 fails. This is important as otherwise the admin may think that a join has succeeeded when kerberos is actually broken. (This used to be commit 23a6ea385c4aea208adf36f039244bee14f56a33)
author: Andrew Tridgell <tridge@samba.org> 2003-06-10 03:47:42 +0000
committer: Andrew Tridgell <tridge@samba.org> 2003-06-10 03:47:42 +0000
commit: 2cfc19f89939353e81bc0c00c3fe084a68bba20f (patch)
tree: a2357fa566412a572b78bad1263ee28d0bd8b3eb /source3/libads/sasl.c
parent: 524da855ff764eba7aa88624259d359e0cd406ac (diff)
download: samba-2cfc19f89939353e81bc0c00c3fe084a68bba20f.tar.gz
samba-2cfc19f89939353e81bc0c00c3fe084a68bba20f.tar.bz2
samba-2cfc19f89939353e81bc0c00c3fe084a68bba20f.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 29d4533a54..598208b17f 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -198,8 +198,11 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 		if (ads_kinit_password(ads) == 0) {
 			status = ads_sasl_spnego_krb5_bind(ads, principal);
 		}
-		if (ADS_ERR_OK(status))
+		/* only fallback to NTLMSSP if allowed */
+		if (ADS_ERR_OK(status) || 
+		    !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
 			return status;
+		}
 	}
 #endif
author	Andrew Tridgell <tridge@samba.org>	2003-06-10 03:47:42 +0000
committer	Andrew Tridgell <tridge@samba.org>	2003-06-10 03:47:42 +0000
commit	2cfc19f89939353e81bc0c00c3fe084a68bba20f (patch)
tree	a2357fa566412a572b78bad1263ee28d0bd8b3eb /source3/libads/sasl.c
parent	524da855ff764eba7aa88624259d359e0cd406ac (diff)
download	samba-2cfc19f89939353e81bc0c00c3fe084a68bba20f.tar.gz samba-2cfc19f89939353e81bc0c00c3fe084a68bba20f.tar.bz2 samba-2cfc19f89939353e81bc0c00c3fe084a68bba20f.zip