From 053ef0f605e8e99bf10e784cf383f954a6940d0a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 28 Apr 2011 17:10:03 +0200
Subject: s4:auth/credentials: S4U2Self should force CRED_MUST_USE_KERBEROS

Otherwise we would not impersonate the desired principal.
This still doesn't work for plaintext auth, but should
avoid ntlmssp.

metze
---
 source4/auth/credentials/credentials_krb5.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index 5883282c25..bfba1679f7 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -813,6 +813,7 @@ _PUBLIC_ void cli_credentials_set_impersonate_principal(struct cli_credentials *
 	cred->impersonate_principal = talloc_strdup(cred, principal);
 	talloc_free(cred->self_service);
 	cred->self_service = talloc_strdup(cred, self_service);
+	cli_credentials_set_kerberos_state(cred, CRED_MUST_USE_KERBEROS);
 }
 
 /*
-- 
cgit