From 718dd6dda6331b27b8f4fc89b891c27124c7821e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 28 Sep 2005 04:50:02 +0000 Subject: r10565: Try to make Kerberos authentication a bit more friendly. This disables it for 'localhost' as well as for any host our KDC does not recognise. Andrew Bartlett (This used to be commit 49c6c36763aae23880a20a8ee50c00e8935d8548) --- source4/auth/gensec/gensec_krb5.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'source4/auth/gensec/gensec_krb5.c') diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 07e92f063f..71974790b1 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -172,7 +172,10 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security DEBUG(2, ("Cannot do krb5 to an IP address")); return NT_STATUS_INVALID_PARAMETER; } - + if (strequal(hostname, "localhost")) { + DEBUG(2, ("krb5 to 'localhost' does not make sense")); + return NT_STATUS_INVALID_PARAMETER; + } nt_status = gensec_krb5_start(gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { @@ -235,7 +238,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN: DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n", hostname, smb_get_krb5_error_message(gensec_krb5_state->smb_krb5_context->krb5_context, ret, gensec_krb5_state))); - return NT_STATUS_ACCESS_DENIED; + return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */ case KRB5KDC_ERR_PREAUTH_FAILED: case KRB5KRB_AP_ERR_TKT_EXPIRED: case KRB5_CC_END: -- cgit