diff options
Diffstat (limited to 'source3/libsmb')
-rw-r--r-- | source3/libsmb/cliconnect.c | 38 | ||||
-rw-r--r-- | source3/libsmb/clispnego.c | 19 | ||||
-rw-r--r-- | source3/libsmb/namequery.c | 29 | ||||
-rw-r--r-- | source3/libsmb/trusts_util.c | 2 |
4 files changed, 11 insertions, 77 deletions
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index a4bbf9a6ec..820a904ea4 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -822,36 +822,20 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, free(OIDs[i]); } + DEBUG(3,("got principal=%s\n", principal ? principal : "<null>")); if (got_kerberos_mechanism && (principal == NULL)) { - fstring dns_name; - fstring nb_name; - /* - * We didn't get a valid principal in the negTokenInit. Fake - * it, or fall back on NTLM. We prefer to fake it, and hit the - * translate_name cache to get a REAL realm name. - */ - if (!(cli->desthost && translate_name(domain, dns_name, - nb_name) && - asprintf(&principal, "host/%s@%s", cli->desthost, - dns_name))) { - - /* - * It is WRONG to depend on the principal sent in the - * negprot reply, but right now we do it. So for safety - * (don't segfault later) disable Kerberos when no - * principal was sent. -- VL - */ - DEBUG(1, ("Kerberos mech was offered, but no principal was " - "sent, disabling Kerberos\n")); - cli->use_kerberos = False; - } - + * It is WRONG to depend on the principal sent in the negprot + * reply, but right now we do it. So for safety (don't + * segfault later) disable Kerberos when no principal was + * sent. -- VL + */ + DEBUG(1, ("Kerberos mech was offered, but no principal was " + "sent, disabling Kerberos\n")); + cli->use_kerberos = False; } - DEBUG(3,("got principal=%s\n", principal ? principal : "<null>")); - fstrcpy(cli->user_name, user); #ifdef HAVE_KRB5 @@ -888,9 +872,7 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user, ntlmssp: - /* NTLM is sensitive to adding a domain with a UPN */ - return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, - (strchr(user, '@') ? NULL : domain))); + return ADS_ERROR_NT(cli_session_setup_ntlmssp(cli, user, pass, domain)); } /**************************************************************************** diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c index c45883d890..9432ce81d3 100644 --- a/source3/libsmb/clispnego.c +++ b/source3/libsmb/clispnego.c @@ -52,18 +52,7 @@ DATA_BLOB spnego_gen_negTokenInit(char guid[16], asn1_push_tag(&data, ASN1_CONTEXT(3)); asn1_push_tag(&data, ASN1_SEQUENCE(0)); asn1_push_tag(&data, ASN1_CONTEXT(0)); - - /* - * @todo - * Windows 2008 sends a bogus principal, since this - * is not truly supported in the SPNEGO protocol. - * - * We should do the same, but I'm worried this will break things, - * such as DFS. - * todd.stecher@isilon.com - */ asn1_write_GeneralString(&data,principal); - asn1_pop_tag(&data); asn1_pop_tag(&data); asn1_pop_tag(&data); @@ -165,14 +154,6 @@ BOOL spnego_parse_negTokenInit(DATA_BLOB blob, asn1_start_tag(&data, ASN1_SEQUENCE(0)); asn1_start_tag(&data, ASN1_CONTEXT(0)); asn1_read_GeneralString(&data,principal); - /* - * Windows 2008 sends a bogus principal, since this - * is not truly supported in the SPNEGO protocol. - * todd.stecher@isilon.com - */ - if (strcmp(ADS_IGNORE_PRINCIPAL, *principal) == 0) - SAFE_FREE(*principal); - asn1_end_tag(&data); asn1_end_tag(&data); asn1_end_tag(&data); diff --git a/source3/libsmb/namequery.c b/source3/libsmb/namequery.c index 4a7ae0c2e5..49e3375f50 100644 --- a/source3/libsmb/namequery.c +++ b/source3/libsmb/namequery.c @@ -1714,32 +1714,3 @@ NTSTATUS get_kdc_list( const char *realm, const char *sitename, struct ip_servic return NT_STATUS_OK; } - - -BOOL translate_name(const char *realm, fstring dns_domain_name, - fstring nb_domain_name) -{ - struct winbindd_request request; - struct winbindd_response response; - NSS_STATUS wb_result; - - /* Call winbindd */ - - ZERO_STRUCT(request); - ZERO_STRUCT(response); - - fstrcpy(request.domain_name, realm); - wb_result = winbindd_request_response(WINBINDD_DOMAIN_INFO, - &request, &response); - - if (wb_result != NSS_STATUS_SUCCESS) { - DEBUG(0, ("Failed to translate %s\n", realm)); - return False; - } - - fstrcpy(dns_domain_name, response.data.domain_info.alt_name); - fstrcpy(nb_domain_name, response.data.domain_info.name); - - return True; - -} diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c index 4a231dcd15..0922f9f41e 100644 --- a/source3/libsmb/trusts_util.c +++ b/source3/libsmb/trusts_util.c @@ -40,7 +40,7 @@ static NTSTATUS just_change_the_password(struct rpc_pipe_client *cli, TALLOC_CTX already have valid creds. If not we must set them up. */ if (cli->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) { - uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS; + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS; result = rpccli_netlogon_setup_creds(cli, cli->cli->desthost, /* server name */ |