diff options
author | Andrew Tridgell <tridge@samba.org> | 2010-09-22 22:20:30 -0700 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2010-09-23 07:17:57 +0000 |
commit | 202525db1339805af5d5e837712b0aa834e8f5e0 (patch) | |
tree | 68c46be94ad3929996bb3db6508752e0a3fc39e1 /source4/auth/gensec | |
parent | d1cbd68bb12c6d5193e864e5b0bae16c7ec4c5f4 (diff) | |
download | samba-202525db1339805af5d5e837712b0aa834e8f5e0.tar.gz samba-202525db1339805af5d5e837712b0aa834e8f5e0.tar.bz2 samba-202525db1339805af5d5e837712b0aa834e8f5e0.zip |
s4-gensec: fixed a GSSAPI SASL negotiation bug
Fixed a bug that affected mismatched negotiation between the GSSAPI
layer and the SASL SSF subsequent negotiation. This caused some ldap
clients to hang when trying to authentication with a Samba LDAP
server. The client thought the connection should be signed, the server
thought it should be in plain text
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index d2f19e961e..a864bca49b 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -777,25 +777,28 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security, /* first byte is the proposed security */ security_accepted = maxlength_accepted[0]; maxlength_accepted[0] = '\0'; - + /* Rest is the proposed max wrap length */ gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_accepted, 0), gensec_gssapi_state->max_wrap_buf_size); gensec_gssapi_state->sasl_protection = 0; - if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { - if (security_accepted & NEG_SEAL) { - gensec_gssapi_state->sasl_protection |= NEG_SEAL; + if (security_accepted & NEG_SEAL) { + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) { + DEBUG(1, ("Remote client wanted seal, but gensec refused\n")); + return NT_STATUS_ACCESS_DENIED; } - } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { - if (security_accepted & NEG_SIGN) { - gensec_gssapi_state->sasl_protection |= NEG_SIGN; + gensec_gssapi_state->sasl_protection |= NEG_SEAL; + } + if (security_accepted & NEG_SIGN) { + if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) { + DEBUG(1, ("Remote client wanted sign, but gensec refused\n")); + return NT_STATUS_ACCESS_DENIED; } - } else if (security_accepted & NEG_NONE) { + gensec_gssapi_state->sasl_protection |= NEG_SIGN; + } + if (security_accepted & NEG_NONE) { gensec_gssapi_state->sasl_protection |= NEG_NONE; - } else { - DEBUG(1, ("Remote client does not support unprotected connections, but we failed to negotiate anything better")); - return NT_STATUS_ACCESS_DENIED; } /* quirk: This changes the value that gensec_have_feature returns, to be that after SASL negotiation */ |