From 2cfc19f89939353e81bc0c00c3fe084a68bba20f Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Tue, 10 Jun 2003 03:47:42 +0000
Subject: added an auth flag that indicates if we should be allowed to fallback
 to NTLMSSP for SASL if krb5 fails. This is important as otherwise the admin
 may think that a join has succeeeded when kerberos is actually broken. (This
 used to be commit 23a6ea385c4aea208adf36f039244bee14f56a33)

---
 source3/libads/sasl.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'source3/libads')

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 29d4533a54..598208b17f 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -198,8 +198,11 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 		if (ads_kinit_password(ads) == 0) {
 			status = ads_sasl_spnego_krb5_bind(ads, principal);
 		}
-		if (ADS_ERR_OK(status))
+		/* only fallback to NTLMSSP if allowed */
+		if (ADS_ERR_OK(status) || 
+		    !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
 			return status;
+		}
 	}
 #endif
 
-- 
cgit