From f281d7782451efe4211e6e18435ed367c137ea06 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 17 Sep 2005 09:46:20 +0000
Subject: r10291: The patch optionally (off by default, not available in all
 cases) allows Samba to use the target principal name supplied in the
 mechTokenMIC of an SPNEGO negTokenInit.

This isn't a great idea for security reasons, but is how Samba3 behaves,
and allows kerberos to function more often in some environments.  It is
only available for CIFS session setups, due to the ordering of the
exchange.

Andrew Bartlett
(This used to be commit f6a645644127ae695a9f7288e0a469f2eb7f3066)
---
 source4/auth/gensec/gensec_gssapi.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

(limited to 'source4/auth/gensec/gensec_gssapi.c')

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 69f219fe07..c462cf0ecd 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -229,8 +229,10 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 	krb5_error_code ret;
 	NTSTATUS nt_status;
 	gss_buffer_desc name_token;
+	gss_OID name_type;
 	OM_uint32 maj_stat, min_stat;
 	const char *hostname = gensec_get_target_hostname(gensec_security);
+	const char *principal;
 
 	if (!hostname) {
 		DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
@@ -248,14 +250,22 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 
 	gensec_gssapi_state = gensec_security->private_data;
 
-	name_token.value = talloc_asprintf(gensec_gssapi_state, "%s@%s", 
-					   gensec_get_target_service(gensec_security), 
-					   hostname);
-	name_token.length = strlen(name_token.value);
+	principal = gensec_get_target_principal(gensec_security);
+	if (principal && lp_client_use_spnego_principal()) {
+		name_token.value = gensec_get_target_principal(gensec_security);
+		name_token.length = strlen(name_token.value);
+		name_type = GSS_C_NULL_OID;
+	} else {
+		name_token.value = talloc_asprintf(gensec_gssapi_state, "%s@%s", 
+						   gensec_get_target_service(gensec_security), 
+						   hostname);
+		name_token.length = strlen(name_token.value);
+		name_type = GSS_C_NT_HOSTBASED_SERVICE;
+	}		
 
 	maj_stat = gss_import_name (&min_stat,
 				    &name_token,
-				    GSS_C_NT_HOSTBASED_SERVICE,
+				    name_type,
 				    &gensec_gssapi_state->server_name);
 	if (maj_stat) {
 		DEBUG(2, ("GSS Import name of %s failed: %s\n",
-- 
cgit