6 files changed, 30 insertions, 10 deletions

diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index c4c58398c3..1a2d5faddd 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -392,7 +392,17 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 		return ret;
 	}
 
-	/* transfer the enctypes from the smb_krb5_context to the gssapi layer */
+	/*
+	 * transfer the enctypes from the smb_krb5_context to the gssapi layer
+	 *
+	 * We use 'our' smb_krb5_context to do the AS-REQ and it is possible
+	 * to configure the enctypes via the krb5.conf.
+	 *
+	 * And the gss_init_sec_context() creates it's own krb5_context and
+	 * the TGS-REQ had all enctypes in it and only the ones configured
+	 * and used for the AS-REQ, so it wasn't possible to disable the usage
+	 * of AES keys.
+	 */
 	min_stat = krb5_get_default_in_tkt_etypes(ccache->smb_krb5_context->krb5_context,
 						  &etypes);
 	if (min_stat == 0) {
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 205d8a0f9b..bb44c75901 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -24,7 +24,6 @@
 #include "includes.h"
 #include "lib/events/events.h"
 #include "system/kerberos.h"
-#include "heimdal/lib/gssapi/gssapi/gssapi.h"
 #include "auth/kerberos/kerberos.h"
 #include "librpc/gen_ndr/krb5pac.h"
 #include "auth/auth.h"
@@ -37,6 +36,7 @@
 #include "auth/gensec/gensec_proto.h"
 #include "param/param.h"
 #include "auth/session_proto.h"
+#include <gssapi/gssapi.h>
 
 enum gensec_gssapi_sasl_state 
 {
diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c
index a455fda398..82e42a4560 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source4/auth/kerberos/krb5_init_context.c
@@ -22,13 +22,11 @@
 
 #include "includes.h"
 #include "system/kerberos.h"
-#include "heimdal/lib/krb5/krb5_locl.h"
 #include "auth/kerberos/kerberos.h"
 #include "lib/socket/socket.h"
 #include "lib/stream/packet.h"
 #include "system/network.h"
 #include "lib/events/events.h"
-#include "roken.h"
 #include "param/param.h"
 #include "libcli/resolve/resolve.h"
 
@@ -208,6 +206,7 @@ static void smb_krb5_socket_handler(struct event_context *ev, struct fd_event *f
 krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
 					    void *data,
 					    krb5_krbhst_info *hi,
+					    time_t timeout,
 					    const krb5_data *send_buf,
 					    krb5_data *recv_buf)
 {
@@ -298,7 +297,7 @@ krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
 		socket_set_flags(smb_krb5->sock, SOCKET_FLAG_NOCLOSE);
 
 		event_add_timed(ev, smb_krb5, 
-				timeval_current_ofs(context->kdc_timeout, 0),
+				timeval_current_ofs(timeout, 0),
 				smb_krb5_request_timeout, smb_krb5);
 
 		
diff --git a/source4/auth/kerberos/krb5_init_context.h b/source4/auth/kerberos/krb5_init_context.h
index 44771f2aec..815e9a639d 100644
--- a/source4/auth/kerberos/krb5_init_context.h
+++ b/source4/auth/kerberos/krb5_init_context.h
@@ -32,5 +32,6 @@ void smb_krb5_free_context(struct smb_krb5_context *smb_krb5_context);
 krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
 					    void *data,
 					    krb5_krbhst_info *hi,
+					    time_t timeout,
 					    const krb5_data *send_buf,
 					    krb5_data *recv_buf);
diff --git a/source4/auth/ntlm/auth_server.c b/source4/auth/ntlm/auth_server.c
index f154cf0425..bb8773e75e 100644
--- a/source4/auth/ntlm/auth_server.c
+++ b/source4/auth/ntlm/auth_server.c
@@ -70,7 +70,11 @@ static NTSTATUS server_get_challenge(struct auth_method_context *ctx, TALLOC_CTX
 	io.in.called_name = strupper_talloc(mem_ctx, io.in.dest_host);
 
 	/* We don't want to get as far as the session setup */
-	io.in.credentials = NULL;
+	io.in.credentials = cli_credentials_init_anon(mem_ctx);
+	cli_credentials_set_workstation(io.in.credentials,
+					lp_netbios_name(ctx->auth_ctx->lp_ctx),
+					CRED_SPECIFIED);
+
 	io.in.service = NULL;
 
 	io.in.workgroup = ""; /* only used with SPNEGO, disabled above */
@@ -79,10 +83,10 @@ static NTSTATUS server_get_challenge(struct auth_method_context *ctx, TALLOC_CTX
 
 	status = smb_composite_connect(&io, mem_ctx, lp_resolve_context(ctx->auth_ctx->lp_ctx),
 				       ctx->auth_ctx->event_ctx);
-	if (!NT_STATUS_IS_OK(status)) {
-		*_blob = io.out.tree->session->transport->negotiate.secblob;
-		ctx->private_data = talloc_steal(ctx, io.out.tree->session);
-	}
+	NT_STATUS_NOT_OK_RETURN(status);
+
+	*_blob = io.out.tree->session->transport->negotiate.secblob;
+	ctx->private_data = talloc_steal(ctx, io.out.tree->session);
 	return NT_STATUS_OK;
 }
 
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index dfc5940d99..838596ee98 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -157,6 +157,10 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security,
 
 	/* Ask our caller what challenge they would like in the packet */
 	cryptkey = gensec_ntlmssp_state->get_challenge(gensec_ntlmssp_state);
+	if (!cryptkey) {
+		DEBUG(1, ("ntlmssp_server_negotiate: backend doesn't give a challenge\n"));
+		return NT_STATUS_INTERNAL_ERROR;
+	}
 
 	/* Check if we may set the challenge */
 	if (!gensec_ntlmssp_state->may_set_challenge(gensec_ntlmssp_state)) {
@@ -614,6 +618,8 @@ static const uint8_t *auth_ntlmssp_get_challenge(const struct gensec_ntlmssp_sta
 
 	status = auth_get_challenge(gensec_ntlmssp_state->auth_context, &chal);
 	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n",
+			nt_errstr(status)));
 		return NULL;
 	}