diff options
author | Andrew Bartlett <abartlet@samba.org> | 2004-06-14 03:22:52 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:51:57 -0500 |
commit | 654524c71ba2ab1786a2dd63b2b92d91b0c7cac0 (patch) | |
tree | 3675ea78db07bb99bc7790cc2bc4b885be6cecf5 /source3 | |
parent | 0805d1ddc324ec6f8ffd35b296f9fc4a245dccb9 (diff) | |
download | samba-654524c71ba2ab1786a2dd63b2b92d91b0c7cac0.tar.gz samba-654524c71ba2ab1786a2dd63b2b92d91b0c7cac0.tar.bz2 samba-654524c71ba2ab1786a2dd63b2b92d91b0c7cac0.zip |
r1126: Allow more flexible GSS-SPENGO client and server operation. The
client now falls back to NTLMSSP, and the server allows the client to
start, without first asking for a mech list.
Andrew Bartlett
(This used to be commit feccc3daca7b2e9091b81fbbb93dc7284baedb99)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/utils/ntlm_auth.c | 34 |
1 files changed, 18 insertions, 16 deletions
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 3b2164497c..99767a5626 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -814,32 +814,34 @@ static void manage_gss_spnego_request(enum stdio_helper_mode stdio_helper_mode, pstring reply_argument; if (strlen(buf) < 2) { + DEBUG(1, ("SPENGO query [%s] invalid", buf)); + x_fprintf(x_stdout, "BH\n"); + return; + } - if (ntlmssp_state != NULL) { - DEBUG(1, ("Request for initial SPNEGO request where " - "we already have a state\n")); - x_fprintf(x_stdout, "BH\n"); - return; - } - - DEBUG(1, ("NTLMSSP query [%s] invalid", buf)); + if (strncmp(buf, "YR", 2) == 0) { + if (ntlmssp_state) + ntlmssp_end(&ntlmssp_state); + } else if (strncmp(buf, "KK", 2) == 0) { + + } else { + DEBUG(1, ("SPENGO query [%s] invalid", buf)); x_fprintf(x_stdout, "BH\n"); return; } - if ( (strlen(buf) == 2) && (strcmp(buf, "YR") == 0) ) { + if ( (strlen(buf) == 2)) { - /* Initial request, get the negTokenInit offering + /* no client data, get the negTokenInit offering mechanisms */ offer_gss_spnego_mechs(); return; } - /* All subsequent requests are "KK" (Knock, Knock ;)) and have - a blob. This might be negTokenInit or negTokenTarg */ + /* All subsequent requests have a blob. This might be negTokenInit or negTokenTarg */ - if ( (strlen(buf) <= 3) || (strncmp(buf, "KK", 2) != 0) ) { + if (strlen(buf) <= 3) { DEBUG(1, ("GSS-SPNEGO query [%s] invalid\n", buf)); x_fprintf(x_stdout, "BH\n"); return; @@ -1151,7 +1153,7 @@ static BOOL manage_client_krb5_init(SPNEGO_DATA spnego) { char *principal; DATA_BLOB tkt, to_server; - DATA_BLOB session_key_krb5; + DATA_BLOB session_key_krb5 = data_blob(NULL, 0); SPNEGO_DATA reply; char *reply_base64; int retval; @@ -1196,14 +1198,14 @@ static BOOL manage_client_krb5_init(SPNEGO_DATA spnego) if ((retval = kerberos_kinit_password(user, opt_password, 0, NULL))) { DEBUG(10, ("Requesting TGT failed: %s\n", error_message(retval))); - x_fprintf(x_stdout, "NA\n"); - return True; + return False; } retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5); if (retval) { DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval))); + return False; } } |