diff options
| author | Gerald Carter <jerry@samba.org> | 2007-09-28 03:54:42 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:31:02 -0500 |
| commit | 3529156971e17c7ec13f6a6243f7b613e4666cdd (patch) | |
| tree | 0f6479de4c560c92a75826d955020659a36ef060 /source3/libsmb/cliconnect.c | |
| parent | 470ebf8a3504474dea5c324d01282e59c034a236 (diff) | |
| download | samba-3529156971e17c7ec13f6a6243f7b613e4666cdd.tar.gz samba-3529156971e17c7ec13f6a6243f7b613e4666cdd.tar.bz2 samba-3529156971e17c7ec13f6a6243f7b613e4666cdd.zip | |
r25400: Windows 2008 (Longhorn) Interop fixes for AD specific auth2 flags,
and client fixes. Patch from Todd Stetcher <todd.stetcher@isilon.com>.
(This used to be commit 8304ccba7346597425307e260e88647e49081f68)
Diffstat (limited to 'source3/libsmb/cliconnect.c')
| -rw-r--r-- | source3/libsmb/cliconnect.c | 38 |
1 files changed, 28 insertions, 10 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 820a904ea4..a4bbf9a6ec 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -822,20 +822,36 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, free(OIDs[i]); } - DEBUG(3,("got principal=%s\n", principal ? principal : "<null>")); if (got_kerberos_mechanism && (principal == NULL)) { + fstring dns_name; + fstring nb_name; + /* - * It is WRONG to depend on the principal sent in the negprot - * reply, but right now we do it. So for safety (don't - * segfault later) disable Kerberos when no principal was - * sent. -- VL - */ - DEBUG(1, ("Kerberos mech was offered, but no principal was " - "sent, disabling Kerberos\n")); - cli->use_kerberos = False; + * We didn't get a valid principal in the negTokenInit. Fake + * it, or fall back on NTLM. We prefer to fake it, and hit the + * translate_name cache to get a REAL realm name. + */ + if (!(cli->desthost && translate_name(domain, dns_name, + nb_name) && + asprintf(&principal, "host/%s@%s", cli->desthost, + dns_name))) { + + /* + * It is WRONG to depend on the principal sent in the + * negprot reply, but right now we do it. So for safety + * (don't segfault later) disable Kerberos when no + * principal was sent. -- VL + */ + DEBUG(1, ("Kerberos mech was offered, but no principal was " + "sent, disabling Kerberos\n")); + cli->use_kerberos = False; + } + } + DEBUG(3,("got principal=%s\n", principal ? principal : "<null>")); + fstrcpy(cli->user_name, user); #ifdef HAVE_KRB5 @@ -872,7 +888,9 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, ntlmssp: - return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain)); + /* NTLM is sensitive to adding a domain with a UPN */ + return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, + (strchr(user, '@') ? NULL : domain))); } /**************************************************************************** |