summaryrefslogtreecommitdiff
path: root/source3/libads
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2003-06-10 03:47:42 +0000
committerAndrew Tridgell <tridge@samba.org>2003-06-10 03:47:42 +0000
commit2cfc19f89939353e81bc0c00c3fe084a68bba20f (patch)
treea2357fa566412a572b78bad1263ee28d0bd8b3eb /source3/libads
parent524da855ff764eba7aa88624259d359e0cd406ac (diff)
downloadsamba-2cfc19f89939353e81bc0c00c3fe084a68bba20f.tar.gz
samba-2cfc19f89939353e81bc0c00c3fe084a68bba20f.tar.bz2
samba-2cfc19f89939353e81bc0c00c3fe084a68bba20f.zip
added an auth flag that indicates if we should be allowed to fallback
to NTLMSSP for SASL if krb5 fails. This is important as otherwise the admin may think that a join has succeeeded when kerberos is actually broken. (This used to be commit 23a6ea385c4aea208adf36f039244bee14f56a33)
Diffstat (limited to 'source3/libads')
-rw-r--r--source3/libads/sasl.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 29d4533a54..598208b17f 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -198,8 +198,11 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
if (ads_kinit_password(ads) == 0) {
status = ads_sasl_spnego_krb5_bind(ads, principal);
}
- if (ADS_ERR_OK(status))
+ /* only fallback to NTLMSSP if allowed */
+ if (ADS_ERR_OK(status) ||
+ !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
return status;
+ }
}
#endif