From f3b005e7595288096a4fac220709b7af26aa7b62 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sun, 11 Mar 2012 07:04:38 +1100
Subject: s3-auth: Order GENSEC mechs by priority, krb5 before NTLMSSP

Otherwise, really simple clients (such as the current ntlm_auth gss-spnego client)
will not select krb5.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/auth/auth_generic.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'source3/auth/auth_generic.c')

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index f99d390edd..c37672620f 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -292,12 +292,13 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
 
 		gensec_init();
 
-		gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
-
+		/* These need to be in priority order, krb5 before NTLMSSP */
 #if defined(HAVE_KRB5)
 		gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
 #endif
 
+		gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
+
 		gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
 							GENSEC_OID_SPNEGO);
 
-- 
cgit