From 2cfc19f89939353e81bc0c00c3fe084a68bba20f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jun 2003 03:47:42 +0000 Subject: added an auth flag that indicates if we should be allowed to fallback to NTLMSSP for SASL if krb5 fails. This is important as otherwise the admin may think that a join has succeeeded when kerberos is actually broken. (This used to be commit 23a6ea385c4aea208adf36f039244bee14f56a33) --- source3/include/ads.h | 1 + source3/libads/sasl.c | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/source3/include/ads.h b/source3/include/ads.h index 7f7568d8b0..0961c9581c 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -205,6 +205,7 @@ typedef void **ADS_MODLIST; #define ADS_AUTH_NO_BIND 0x02 #define ADS_AUTH_ANON_BIND 0x04 #define ADS_AUTH_SIMPLE_BIND 0x08 +#define ADS_AUTH_ALLOW_NTLMSSP 0x10 /* Kerberos environment variable names */ #define KRB5_ENV_CCNAME "KRB5CCNAME" diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 29d4533a54..598208b17f 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -198,8 +198,11 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) if (ads_kinit_password(ads) == 0) { status = ads_sasl_spnego_krb5_bind(ads, principal); } - if (ADS_ERR_OK(status)) + /* only fallback to NTLMSSP if allowed */ + if (ADS_ERR_OK(status) || + !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) { return status; + } } #endif -- cgit