From 4ad85bf48e9a48835b081b966e49ddc7160f4567 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vlendec@samba.org>
Date: Fri, 15 Aug 2003 02:57:59 +0000
Subject: Add the gss-spnego kerberos server side to ntml_auth. This uses the
 same ads_verify_ticket routine that smbd uses, so in the current state we
 have to be have the host password in secrets.tdb instead of the keytab. This
 means we have to be an ADS member, but it's a start.

Volker
(This used to be commit dc2d2ad467927affbd1461df75f77f07ddfbc3b1)
---
 source3/libsmb/spnego.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'source3/libsmb/spnego.c')

diff --git a/source3/libsmb/spnego.c b/source3/libsmb/spnego.c
index 0b2dec7ef8..50caf7b4c0 100644
--- a/source3/libsmb/spnego.c
+++ b/source3/libsmb/spnego.c
@@ -140,8 +140,22 @@ static BOOL write_negTokenInit(ASN1_DATA *asn1, negTokenInit_t *token)
 	/* write mechListMIC */
 	if (token->mechListMIC.data) {
 		asn1_push_tag(asn1, ASN1_CONTEXT(3));
+#if 0
+		/* This is what RFC 2478 says ... */
 		asn1_write_OctetString(asn1, token->mechListMIC.data,
 				       token->mechListMIC.length);
+#else
+		/* ... but unfortunately this is what Windows
+		   sends/expects */
+		asn1_push_tag(asn1, ASN1_SEQUENCE(0));
+		asn1_push_tag(asn1, ASN1_CONTEXT(0));
+		asn1_push_tag(asn1, ASN1_GENERAL_STRING);
+		asn1_write(asn1, token->mechListMIC.data,
+			   token->mechListMIC.length);
+		asn1_pop_tag(asn1);
+		asn1_pop_tag(asn1);
+		asn1_pop_tag(asn1);
+#endif		
 		asn1_pop_tag(asn1);
 	}
 
-- 
cgit