diff options
| author | Andrew Tridgell <tridge@samba.org> | 2002-08-30 06:59:57 +0000 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2002-08-30 06:59:57 +0000 |
| commit | dcd029169424d8846c1fbb0b1527516a4a026b27 (patch) | |
| tree | 0d1ca640b6c60ebf20458154b19c2f557a0b8f60 /source3/libsmb/cliconnect.c | |
| parent | a6ace770eb9b11271803215f218bf772fa7d9faa (diff) | |
| download | samba-dcd029169424d8846c1fbb0b1527516a4a026b27.tar.gz samba-dcd029169424d8846c1fbb0b1527516a4a026b27.tar.bz2 samba-dcd029169424d8846c1fbb0b1527516a4a026b27.zip | |
convert the LDAP/SASL code to use GSS-SPNEGO if possible
we now do this:
- look for suported SASL mechanisms on the LDAP server
- choose GSS-SPNEGO if possible
- within GSS-SPNEGO choose KRB5 if we can do a kinit
- otherwise use NTLMSSP
This change also means that we no longer rely on having a gssapi
library to do ADS.
todo:
- add TLS/SSL support over LDAP
- change to using LDAP/SSL for password change in ADS
(This used to be commit b04e91f660d3b26d23044075d4a7e707eb41462d)
Diffstat (limited to 'source3/libsmb/cliconnect.c')
| -rw-r--r-- | source3/libsmb/cliconnect.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 0d033c9b59..e9b2b7b32e 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -446,7 +446,7 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principal, c DEBUG(2,("Doing kerberos session setup\n")); /* generate the encapsulated kerberos5 ticket */ - negTokenTarg = spnego_gen_negTokenTarg(cli, principal); + negTokenTarg = spnego_gen_negTokenTarg(principal); if (!negTokenTarg.data) return False; @@ -572,14 +572,14 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, { char *principal; char *OIDs[ASN1_MAX_OIDS]; - uint8 guid[16]; int i; BOOL got_kerberos_mechanism = False; + DATA_BLOB blob; DEBUG(2,("Doing spnego session setup (blob length=%d)\n", cli->secblob.length)); /* the server might not even do spnego */ - if (cli->secblob.length == 16) { + if (cli->secblob.length <= 16) { DEBUG(3,("server didn't supply a full spnego negprot\n")); goto ntlmssp; } @@ -588,11 +588,16 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user, file_save("negprot.dat", cli->secblob.data, cli->secblob.length); #endif + /* there is 16 bytes of GUID before the real spnego packet starts */ + blob = data_blob(cli->secblob.data+16, cli->secblob.length-16); + /* the server sent us the first part of the SPNEGO exchange in the negprot reply */ - if (!spnego_parse_negTokenInit(cli->secblob, guid, OIDs, &principal)) { + if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) { + data_blob_free(&blob); return False; } + data_blob_free(&blob); /* make sure the server understands kerberos */ for (i=0;OIDs[i];i++) { |