From 4dae0e7ec5add0c2000484a7dc6ca6f147e6ecb9 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 25 Feb 2012 14:17:23 +1100
Subject: s3-ntlm_auth: Wrap kerberos token in GSSAPI

While windows will accept this ticket without the wrapping, it is
nicer to follow the standard and wrap it up in GSSAPI.

This should allow the ntlm_auth gss-spnego-client to talk to
the ntlm_auth gss-spengo server.

Reported by Christof Schmitt <christof.schmitt@us.ibm.com>

Andrew Bartlett
---
 source3/utils/ntlm_auth.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'source3')

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index bbf32f963b..fb38c8e09e 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1940,7 +1940,7 @@ static void manage_client_ntlmssp_targ(struct spnego_data spnego)
 static bool manage_client_krb5_init(struct spnego_data spnego)
 {
 	char *principal;
-	DATA_BLOB tkt, to_server;
+	DATA_BLOB tkt, tkt_wrapped, to_server;
 	DATA_BLOB session_key_krb5 = data_blob_null;
 	struct spnego_data reply;
 	char *reply_base64;
@@ -2024,8 +2024,12 @@ static bool manage_client_krb5_init(struct spnego_data spnego)
 			DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval)));
 			return False;
 		}
+
 	}
 
+	/* wrap that up in a nice GSS-API wrapping */
+	tkt_wrapped = spnego_gen_krb5_wrap(ctx, tkt, TOK_ID_KRB_AP_REQ);
+
 	data_blob_free(&session_key_krb5);
 
 	ZERO_STRUCT(reply);
@@ -2034,7 +2038,7 @@ static bool manage_client_krb5_init(struct spnego_data spnego)
 	reply.negTokenInit.mechTypes = my_mechs;
 	reply.negTokenInit.reqFlags = data_blob_null;
 	reply.negTokenInit.reqFlagsPadding = 0;
-	reply.negTokenInit.mechToken = tkt;
+	reply.negTokenInit.mechToken = tkt_wrapped;
 	reply.negTokenInit.mechListMIC = data_blob_null;
 
 	len = spnego_write_data(ctx, &to_server, &reply);
-- 
cgit