summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-02-21 00:17:52 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:51:58 -0500
commit08195b0ed5ffdd2373fedcae7b4872284719de6c (patch)
tree05cb87fc4480ece8ea8308ce9dce76f40ed9fc87 /source4/auth
parent9d1954c25d646c46daa38c3f96f4c4029b9bb417 (diff)
downloadsamba-08195b0ed5ffdd2373fedcae7b4872284719de6c.tar.gz
samba-08195b0ed5ffdd2373fedcae7b4872284719de6c.tar.bz2
samba-08195b0ed5ffdd2373fedcae7b4872284719de6c.zip
r13584: Another try at SPNEGO stuff. I need to write a better testsuite for this.
This tries to ensure that when we are a client, we cope with mechs (like GSSAPI) that only abort (unknown server) at first runtime. Andrew Bartlett (This used to be commit cb5d18c6190fa1809478aeb60e352cb93c4214f6)
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/gensec/spnego.c23
1 files changed, 23 insertions, 0 deletions
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index 6f38576a3f..32b4ff96be 100644
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -358,6 +358,10 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
}
}
+ /* Having tried any optomisitc token from the client (if we
+ * were the server), if we didn't get anywhere, walk our list
+ * in our preference order */
+
if (!spnego_state->sub_sec_security) {
for (i=0; all_sec && all_sec[i].op; i++) {
nt_status = gensec_subcontext_start(spnego_state,
@@ -382,6 +386,25 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
out_mem_ctx,
null_data_blob,
unwrapped_out);
+
+ /* it is likely that a NULL input token will
+ * not be liked by most server mechs, but if
+ * we are in the client, we want the first
+ * update packet to be able to abort the use
+ * of this mech */
+ if (spnego_state->state_position != SPNEGO_SERVER_START) {
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
+ NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
+ /* Pretend we never started it (lets the first run find some incompatible demand) */
+
+ DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse: %s\n",
+ spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+ talloc_free(spnego_state->sub_sec_security);
+ spnego_state->sub_sec_security = NULL;
+ continue;
+ }
+ }
+
break;
}
}