From 5f4d86f955d939e96ec9b81c8a9d080aab4354b6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 4 May 2006 10:03:41 +0000 Subject: r15426: Implement SPNEGO as the default RPC authentication mechanism. Where this isn't supported, fallback to NTLM. Also, where we get a failure as 'logon failure', try and do a '3 tries' for the password, like we already do for CIFS. (Incomplete: needs a mapping between RPC errors and the logon failure NTSTATUS). Because we don't yet support Kerberos sign/seal to win2k3 SP1 for DCE/RPC, disable this (causing SPNEGO to negotiate NTLM) when kerberos isn't demanded. Andrew Bartlett (This used to be commit b3212d1fb91b26c1d326a289560106dffe1d2e80) --- source4/auth/gensec/gensec_gssapi.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'source4/auth/gensec') diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 4cc067ffde..070e83e97c 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -257,6 +257,15 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi return NT_STATUS_INVALID_PARAMETER; } + if (((gensec_security->want_features & GENSEC_FEATURE_SIGN) + || (gensec_security->want_features & GENSEC_FEATURE_SEAL)) + && (gensec_security->want_features & GENSEC_FEATURE_DCE_STYLE) + && !lp_parm_bool(-1, "gensec_gssapi", "dce_signseal", + cli_credentials_get_kerberos_state(creds) == CRED_MUST_USE_KERBEROS)) { + DEBUG(2, ("GSSAPI sign/seal disabled for DCE/RPC. ")); + return NT_STATUS_INVALID_PARAMETER; + } + nt_status = gensec_gssapi_start(gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; -- cgit