added a ASN.1 parser, so now I can properly parse the negTokenInit

packet which means I can extract the service and realm, so we should
now work with realms other than the local realm.

it also means we now check the list of OIDs given by the server just
in case it says that it doesn't support kerberos. In that case we
should fall back to NTLMSSP but that isn't written yet.
(This used to be commit 395cfeea94febb5280ea57027e8a8a3c7c3f9291)

1 files changed, 32 insertions, 1 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 77a8232ed5..36aedf2d59 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -325,8 +325,39 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user,
 	uint32 capabilities = cli_session_setup_capabilities(cli);
 	char *p;
 	DATA_BLOB blob2, negTokenTarg;
+	char *principle;
+	char *OIDs[ASN1_MAX_OIDS];
+	uint8 guid[16];
+	int i;
+	BOOL got_kerberos_mechanism = False;
+
+	/* the server sent us the first part of the SPNEGO exchange in the negprot 
+	   reply */
+	if (!spnego_parse_negTokenInit(cli->secblob, guid, OIDs, &principle)) {
+		return False;
+	}
+
+	/* make sure the server understands kerberos */
+	for (i=0;OIDs[i];i++) {
+		DEBUG(3,("got OID=%s\n", OIDs[i]));
+		if (strcmp(OIDs[i], "1 2 840 48018 1 2 2") == 0) {
+			got_kerberos_mechanism = True;
+		}
+		free(OIDs[i]);
+	}
+	DEBUG(3,("got principle=%s\n", principle));
+
+	if (!got_kerberos_mechanism) {
+		DEBUG(1,("Server didn't offer kerberos5 mechanism!?\n"));
+		return False;
+	}
+
+	/* generate the encapsulated kerberos5 ticket */
+	negTokenTarg = spnego_gen_negTokenTarg(cli, principle);
+
+	free(principle);
 
-	negTokenTarg = spnego_gen_negTokenTarg(cli);
+	if (!negTokenTarg.data) return False;
 
 	capabilities |= CAP_EXTENDED_SECURITY;