r10364: Turn gensec:gssapi on by default, except for a login of the form

-Udomain\\user.

This will probably break in a few configurations, so please let me
know.  I'll also work to have a way to inhibit kerberos/ntlmssp, as
this removes -k.

Andrew Bartlett
(This used to be commit 3c0dc570b86e79aea5446d7c3bb9750a11bf8ca4)

2 files changed, 24 insertions, 24 deletions

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index c462cf0ecd..4e1d1e3015 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -250,6 +250,28 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 
 	gensec_gssapi_state = gensec_security->private_data;
 
+	ret = cli_credentials_get_ccache(creds, 
+					 &ccache);
+	if (ret) {
+		DEBUG(1, ("Failed to get CCACHE for gensec_gssapi: %s\n", error_message(ret)));
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	name_token.value = cli_credentials_get_principal(creds, 
+							 gensec_gssapi_state);
+	name_token.length = strlen(name_token.value);
+
+	maj_stat = gss_import_name (&min_stat,
+				    &name_token,
+				    GSS_C_NT_USER_NAME,
+				    &gensec_gssapi_state->client_name);
+	if (maj_stat) {
+		DEBUG(2, ("GSS Import name of %s failed: %s\n",
+			  (char *)name_token.value,
+			  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
 	principal = gensec_get_target_principal(gensec_security);
 	if (principal && lp_client_use_spnego_principal()) {
 		name_token.value = gensec_get_target_principal(gensec_security);
@@ -274,28 +296,6 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	ret = cli_credentials_get_ccache(creds, 
-					 &ccache);
-	if (ret) {
-		DEBUG(1, ("Failed to get CCACHE for gensec_gssapi: %s\n", error_message(ret)));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
-	name_token.value = cli_credentials_get_principal(creds, 
-							 gensec_gssapi_state);
-	name_token.length = strlen(name_token.value);
-
-	maj_stat = gss_import_name (&min_stat,
-				    &name_token,
-				    GSS_C_NT_USER_NAME,
-				    &gensec_gssapi_state->client_name);
-	if (maj_stat) {
-		DEBUG(2, ("GSS Import name of %s failed: %s\n",
-			  (char *)name_token.value,
-			  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
 	maj_stat = gsskrb5_acquire_cred(&min_stat, 
 					NULL, ccache->ccache,
 					gensec_gssapi_state->client_name,
@@ -964,7 +964,7 @@ static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
 	.wrap           = gensec_gssapi_wrap,
 	.unwrap         = gensec_gssapi_unwrap,
 	.have_feature   = gensec_gssapi_have_feature,
-	.enabled        = False
+	.enabled        = True
 };
 
 NTSTATUS gensec_gssapi_init(void)
diff --git a/source4/auth/kerberos/kerberos_util.c b/source4/auth/kerberos/kerberos_util.c
index 922869af5c..d0bb2f4f52 100644
--- a/source4/auth/kerberos/kerberos_util.c
+++ b/source4/auth/kerberos/kerberos_util.c
@@ -111,7 +111,7 @@ krb5_error_code principal_from_credentials(TALLOC_CTX *parent_ctx,
 
 	if (!princ_string) {
 		talloc_free(mem_ctx);
-		return ENOMEM;
+		return EINVAL;
 	}
 
 	ret = krb5_parse_name(smb_krb5_context->krb5_context,