diff options
| author | Andrew Tridgell <tridge@samba.org> | 2003-06-10 03:47:42 +0000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2003-06-10 03:47:42 +0000 |
| commit | 2cfc19f89939353e81bc0c00c3fe084a68bba20f (patch) | |
| tree | a2357fa566412a572b78bad1263ee28d0bd8b3eb /source3/libads | |
| parent | 524da855ff764eba7aa88624259d359e0cd406ac (diff) | |
| download | samba-2cfc19f89939353e81bc0c00c3fe084a68bba20f.tar.gz samba-2cfc19f89939353e81bc0c00c3fe084a68bba20f.tar.bz2 samba-2cfc19f89939353e81bc0c00c3fe084a68bba20f.zip | |
added an auth flag that indicates if we should be allowed to fallback
to NTLMSSP for SASL if krb5 fails. This is important as otherwise the
admin may think that a join has succeeeded when kerberos is actually
broken.
(This used to be commit 23a6ea385c4aea208adf36f039244bee14f56a33)
Diffstat (limited to 'source3/libads')
| -rw-r--r-- | source3/libads/sasl.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 29d4533a54..598208b17f 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -198,8 +198,11 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) if (ads_kinit_password(ads) == 0) { status = ads_sasl_spnego_krb5_bind(ads, principal); } - if (ADS_ERR_OK(status)) + /* only fallback to NTLMSSP if allowed */ + if (ADS_ERR_OK(status) || + !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { return status; + } } #endif |