2 files changed, 46 insertions, 8 deletions

diff --git a/source4/libcli/auth/gensec_gssapi.c b/source4/libcli/auth/gensec_gssapi.c
index c41c3fb2bc..432d59ef24 100644
--- a/source4/libcli/auth/gensec_gssapi.c
+++ b/source4/libcli/auth/gensec_gssapi.c
@@ -36,6 +36,7 @@ struct gensec_gssapi_state {
 	gss_name_t server_name;
 	gss_name_t client_name;
 	int want_flags, got_flags;
+	const gss_OID_desc *gss_oid;
 };
 static int gensec_gssapi_destory(void *ptr) 
 {
@@ -91,6 +92,19 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 		gensec_gssapi_state->want_flags |= GSS_C_CONF_FLAG;
 	}
 
+	if (strcmp(gensec_security->ops->oid, GENSEC_OID_KERBEROS5) == 0) {
+		static const gss_OID_desc gensec_gss_krb5_mechanism_oid_desc =
+			{9, (void *)discard_const_p(char, "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02")};
+
+		gensec_gssapi_state->gss_oid = &gensec_gss_krb5_mechanism_oid_desc;
+	} else if (strcmp(gensec_security->ops->oid, GENSEC_OID_SPNEGO) == 0) {
+		static const gss_OID_desc gensec_gss_spnego_mechanism_oid_desc =
+			{6, (void *)discard_const_p(char, "\x2b\x06\x01\x05\x05\x02")};
+		gensec_gssapi_state->gss_oid = &gensec_gss_spnego_mechanism_oid_desc;
+	} else {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
 	return NT_STATUS_OK;
 }
 
@@ -162,7 +176,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 	OM_uint32 maj_stat, min_stat;
 	OM_uint32 min_stat2;
 	gss_buffer_desc input_token, output_token;
-
+	gss_OID gss_oid_p;
 	input_token.length = in.length;
 	input_token.value = in.data;
 
@@ -173,7 +187,7 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 						GSS_C_NO_CREDENTIAL, 
 						&gensec_gssapi_state->gssapi_context, 
 						gensec_gssapi_state->server_name, 
-						GSS_C_NO_OID, 
+						discard_const_p(gss_OID_desc, gensec_gssapi_state->gss_oid),
 						gensec_gssapi_state->want_flags, 
 						0, 
 						gensec_gssapi_state->input_chan_bindings,
@@ -192,11 +206,12 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 						  &input_token, 
 						  gensec_gssapi_state->input_chan_bindings,
 						  &gensec_gssapi_state->client_name, 
-						  NULL /* mech oid */,
+						  &gss_oid_p,
 						  &output_token, 
 						  &gensec_gssapi_state->got_flags, 
 						  NULL, 
 						  NULL);
+		gensec_gssapi_state->gss_oid = gss_oid_p;
 		break;
 	}
 	default:
@@ -309,8 +324,10 @@ static BOOL gensec_gssapi_have_feature(struct gensec_security *gensec_security,
 	return False;
 }
 
-static const struct gensec_security_ops gensec_gssapi_security_ops = {
-	.name		= "gssapi",
+/* As a server, this could in theory accept any GSSAPI mech */
+static const struct gensec_security_ops gensec_gssapi_krb5_security_ops = {
+	.name		= "gssapi_krb5",
+	.sasl_name	= "GSSAPI",
 	.oid            = GENSEC_OID_KERBEROS5,
 	.client_start   = gensec_gssapi_client_start,
 	.server_start   = gensec_gssapi_server_start,
@@ -321,14 +338,34 @@ static const struct gensec_security_ops gensec_gssapi_security_ops = {
 
 };
 
+static const struct gensec_security_ops gensec_gssapi_spnego_security_ops = {
+	.name		= "gssapi_spnego",
+	.sasl_name	= "GSS-SPNEGO",
+	.oid            = GENSEC_OID_SPNEGO,
+	.client_start   = gensec_gssapi_client_start,
+	.server_start   = gensec_gssapi_server_start,
+	.update 	= gensec_gssapi_update,
+	.wrap           = gensec_gssapi_wrap,
+	.unwrap         = gensec_gssapi_unwrap,
+	.have_feature   = gensec_gssapi_have_feature
+
+};
+
 NTSTATUS gensec_gssapi_init(void)
 {
 	NTSTATUS ret;
 
-	ret = gensec_register(&gensec_gssapi_security_ops);
+	ret = gensec_register(&gensec_gssapi_krb5_security_ops);
+	if (!NT_STATUS_IS_OK(ret)) {
+		DEBUG(0,("Failed to register '%s' gensec backend!\n",
+			gensec_gssapi_krb5_security_ops.name));
+		return ret;
+	}
+
+	ret = gensec_register(&gensec_gssapi_spnego_security_ops);
 	if (!NT_STATUS_IS_OK(ret)) {
 		DEBUG(0,("Failed to register '%s' gensec backend!\n",
-			gensec_gssapi_security_ops.name));
+			gensec_gssapi_spnego_security_ops.name));
 		return ret;
 	}
 
diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c
index e06daf92c1..00c9133067 100644
--- a/source4/param/loadparm.c
+++ b/source4/param/loadparm.c
@@ -3078,7 +3078,8 @@ BOOL lp_load(const char *pszFname, BOOL global_only, BOOL save_defaults,
 		lp_do_parameter(-1, "wins server", "127.0.0.1");
 	}
 
-	lp_do_parameter(-1, "gensec:gssapi", "False");
+	lp_do_parameter(-1, "gensec:gssapi_krb5", "False");
+	lp_do_parameter(-1, "gensec:gssapi_spnego", "False");
 	lp_do_parameter(-1, "gensec:krb5", "False");
 	lp_do_parameter(-1, "gensec:ms_krb5", "False");