convert the LDAP/SASL code to use GSS-SPNEGO if possible

we now do this:

- look for suported SASL mechanisms on the LDAP server
- choose GSS-SPNEGO if possible
- within GSS-SPNEGO choose KRB5 if we can do a kinit
- otherwise use NTLMSSP

This change also means that we no longer rely on having a gssapi
library to do ADS.

todo:
- add TLS/SSL support over LDAP
- change to using LDAP/SSL for password change in ADS
(This used to be commit b04e91f660d3b26d23044075d4a7e707eb41462d)

3 files changed, 17 insertions, 8 deletions

diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 0d033c9b59..e9b2b7b32e 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -446,7 +446,7 @@ static BOOL cli_session_setup_kerberos(struct cli_state *cli, char *principal, c
 	DEBUG(2,("Doing kerberos session setup\n"));
 
 	/* generate the encapsulated kerberos5 ticket */
-	negTokenTarg = spnego_gen_negTokenTarg(cli, principal);
+	negTokenTarg = spnego_gen_negTokenTarg(principal);
 
 	if (!negTokenTarg.data) return False;
 
@@ -572,14 +572,14 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user,
 {
 	char *principal;
 	char *OIDs[ASN1_MAX_OIDS];
-	uint8 guid[16];
 	int i;
 	BOOL got_kerberos_mechanism = False;
+	DATA_BLOB blob;
 
 	DEBUG(2,("Doing spnego session setup (blob length=%d)\n", cli->secblob.length));
 
 	/* the server might not even do spnego */
-	if (cli->secblob.length == 16) {
+	if (cli->secblob.length <= 16) {
 		DEBUG(3,("server didn't supply a full spnego negprot\n"));
 		goto ntlmssp;
 	}
@@ -588,11 +588,16 @@ static BOOL cli_session_setup_spnego(struct cli_state *cli, char *user,
 	file_save("negprot.dat", cli->secblob.data, cli->secblob.length);
 #endif
 
+	/* there is 16 bytes of GUID before the real spnego packet starts */
+	blob = data_blob(cli->secblob.data+16, cli->secblob.length-16);
+
 	/* the server sent us the first part of the SPNEGO exchange in the negprot 
 	   reply */
-	if (!spnego_parse_negTokenInit(cli->secblob, guid, OIDs, &principal)) {
+	if (!spnego_parse_negTokenInit(blob, OIDs, &principal)) {
+		data_blob_free(&blob);
 		return False;
 	}
+	data_blob_free(&blob);
 
 	/* make sure the server understands kerberos */
 	for (i=0;OIDs[i];i++) {
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 685c4a25e0..955a93285c 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -20,6 +20,10 @@
 
 #include "includes.h"
 
+#ifndef ENCTYPE_ARCFOUR_HMAC
+#define ENCTYPE_ARCFOUR_HMAC	0x0017
+#endif
+
 #ifdef HAVE_KRB5
 /*
   we can't use krb5_mk_req because w2k wants the service to be in a particular format
@@ -94,7 +98,9 @@ DATA_BLOB krb5_get_ticket(char *principal)
 	krb5_context context;
 	krb5_auth_context auth_context = NULL;
 	DATA_BLOB ret;
-	krb5_enctype enc_types[] = {ENCTYPE_DES_CBC_MD5, ENCTYPE_NULL};
+	krb5_enctype enc_types[] = {ENCTYPE_ARCFOUR_HMAC, 
+				    ENCTYPE_DES_CBC_MD5, 
+				    ENCTYPE_NULL};
 
 	retval = krb5_init_context(&context);
 	if (retval) {
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index bc4d0ca348..1eeae8b171 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -79,7 +79,6 @@ DATA_BLOB spnego_gen_negTokenInit(uint8 guid[16],
   OIDs (the mechanisms) and a principal name string 
 */
 BOOL spnego_parse_negTokenInit(DATA_BLOB blob,
-			       uint8 guid[16], 
 			       char *OIDs[ASN1_MAX_OIDS], 
 			       char **principal)
 {
@@ -89,7 +88,6 @@ BOOL spnego_parse_negTokenInit(DATA_BLOB blob,
 
 	asn1_load(&data, blob);
 
-	asn1_read(&data, guid, 16);
 	asn1_start_tag(&data,ASN1_APPLICATION(0));
 	asn1_check_OID(&data,OID_SPNEGO);
 	asn1_start_tag(&data,ASN1_CONTEXT(0));
@@ -279,7 +277,7 @@ BOOL spnego_parse_krb5_wrap(DATA_BLOB blob, DATA_BLOB *ticket)
    generate a SPNEGO negTokenTarg packet, ready for a EXTENDED_SECURITY
    kerberos session setup 
 */
-DATA_BLOB spnego_gen_negTokenTarg(struct cli_state *cli, char *principal)
+DATA_BLOB spnego_gen_negTokenTarg(const char *principal)
 {
 	DATA_BLOB tkt, tkt_wrapped, targ;
 	const char *krb_mechs[] = {OID_KERBEROS5_OLD, OID_NTLMSSP, NULL};