diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2006-05-04 10:03:41 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:05:36 -0500 |
| commit | 5f4d86f955d939e96ec9b81c8a9d080aab4354b6 (patch) | |
| tree | b785a6c2aa092fea9bd64391cc45915788b31692 /source4/auth/gensec/gensec_gssapi.c | |
| parent | 086c9cc5f4a9145ee93060db2eebb3badc325e44 (diff) | |
| download | samba-5f4d86f955d939e96ec9b81c8a9d080aab4354b6.tar.gz samba-5f4d86f955d939e96ec9b81c8a9d080aab4354b6.tar.bz2 samba-5f4d86f955d939e96ec9b81c8a9d080aab4354b6.zip | |
r15426: Implement SPNEGO as the default RPC authentication mechanism. Where
this isn't supported, fallback to NTLM.
Also, where we get a failure as 'logon failure', try and do a '3
tries' for the password, like we already do for CIFS. (Incomplete:
needs a mapping between RPC errors and the logon failure NTSTATUS).
Because we don't yet support Kerberos sign/seal to win2k3 SP1 for
DCE/RPC, disable this (causing SPNEGO to negotiate NTLM) when kerberos
isn't demanded.
Andrew Bartlett
(This used to be commit b3212d1fb91b26c1d326a289560106dffe1d2e80)
Diffstat (limited to 'source4/auth/gensec/gensec_gssapi.c')
| -rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 4cc067ffde..070e83e97c 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -257,6 +257,15 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi return NT_STATUS_INVALID_PARAMETER; } + if (((gensec_security->want_features & GENSEC_FEATURE_SIGN) + || (gensec_security->want_features & GENSEC_FEATURE_SEAL)) + && (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE) + && !lp_parm_bool(-1, "gensec_gssapi", "dce_signseal", + cli_credentials_get_kerberos_state(creds) == CRED_MUST_USE_KERBEROS)) { + DEBUG(2, ("GSSAPI sign/seal disabled for DCE/RPC. ")); + return NT_STATUS_INVALID_PARAMETER; + } + nt_status = gensec_gssapi_start(gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; |