From 83a7d9558b5eb686863d44bd7ef00a9e5926edfd Mon Sep 17 00:00:00 2001
From: Günther Deschner <gd@samba.org>
Date: Tue, 15 May 2007 13:42:53 +0000
Subject: r22901: When an AD account has UF_DONT_REQUIRE_PREAUTH set we need to
 fallback to ntlm in the kerberized PAM_AUTH.

Guenther
(This used to be commit ef8f0d35040390f4bb49aab24ca4aad90ea47bc1)
---
 source3/nsswitch/winbindd_pam.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'source3/nsswitch')

diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index bd2f82fb98..c82ac2b0ba 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -566,6 +566,14 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 		http_timestring(ticket_lifetime), (int)ticket_lifetime, 
 		http_timestring(renewal_until), (int)renewal_until));
 
+	/* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
+	 * in that case fallback to NTLM - gd */ 
+
+	if ((ticket_lifetime == 0) && (renewal_until == 0)) {
+		result = NT_STATUS_INVALID_LOGON_TYPE;
+		goto failed;
+	}
+
 	client_princ = talloc_strdup(state->mem_ctx, global_myname());
 	if (client_princ == NULL) {
 		result = NT_STATUS_NO_MEMORY;
-- 
cgit