diff options
| -rw-r--r-- | source3/include/proto.h | 1 | ||||
| -rw-r--r-- | source3/libads/sasl.c | 8 | ||||
| -rw-r--r-- | source3/libsmb/cliconnect.c | 5 | ||||
| -rw-r--r-- | source3/param/loadparm.c | 11 |
4 files changed, 19 insertions, 6 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index 19c693b252..94196b41d1 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -3306,6 +3306,7 @@ bool lp_use_mmap(void); bool lp_unix_extensions(void); bool lp_use_spnego(void); bool lp_client_use_spnego(void); +bool lp_client_use_spnego_principal(void); bool lp_hostname_lookups(void); bool lp_change_notify(const struct share_params *p ); bool lp_kernel_change_notify(const struct share_params *p ); diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 653d546ccd..2ba347486a 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -664,10 +664,12 @@ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads, the principal name back in the first round of the SASL bind reply. So we guess based on server name and realm. --jerry */ - /* Also try best guess when we get the w2k8 ignore - principal back - gd */ + /* Also try best guess when we get the w2k8 ignore principal + back, or when we are configured to ignore it - gd, + abartlet */ - if (!given_principal || + if (!lp_client_use_spnego_principal() || + !given_principal || strequal(given_principal, ADS_IGNORE_PRINCIPAL)) { status = ads_guess_service_principal(ads, &p->string); diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 1e11e158f7..c66314891d 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1279,10 +1279,9 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, } } - /* If we get a bad principal, try to guess it if - we have a valid host NetBIOS name. + /* We may not be allowed to use the server-supplied SPNEGO principal, or it may not have been supplied to us */ - if (strequal(principal, ADS_IGNORE_PRINCIPAL)) { + if (!lp_client_use_spnego_principal() || strequal(principal, ADS_IGNORE_PRINCIPAL)) { TALLOC_FREE(principal); } diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 0bc27dca03..05958b47d2 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -338,6 +338,7 @@ struct global { bool bClientNTLMv2Auth; bool bClientPlaintextAuth; bool bClientUseSpnego; + bool client_use_spnego_principal; bool bDebugPrefixTimestamp; bool bDebugHiresTimestamp; bool bDebugPid; @@ -1399,6 +1400,15 @@ static struct parm_struct parm_table[] = { .flags = FLAG_ADVANCED, }, { + .label = "client use spnego principal", + .type = P_BOOL, + .p_class = P_GLOBAL, + .ptr = &Globals.client_use_spnego_principal, + .special = NULL, + .enum_list = NULL, + .flags = FLAG_ADVANCED, + }, + { .label = "username", .type = P_STRING, .p_class = P_LOCAL, @@ -5711,6 +5721,7 @@ FN_GLOBAL_BOOL(lp_use_mmap, &Globals.bUseMmap) FN_GLOBAL_BOOL(lp_unix_extensions, &Globals.bUnixExtensions) FN_GLOBAL_BOOL(lp_use_spnego, &Globals.bUseSpnego) FN_GLOBAL_BOOL(lp_client_use_spnego, &Globals.bClientUseSpnego) +FN_GLOBAL_BOOL(lp_client_use_spnego_principal, &Globals.client_use_spnego_principal) FN_GLOBAL_BOOL(lp_hostname_lookups, &Globals.bHostnameLookups) FN_LOCAL_PARM_BOOL(lp_change_notify, bChangeNotify) FN_LOCAL_PARM_BOOL(lp_kernel_change_notify, bKernelChangeNotify) |