From 60f3ef505238aaceb40101d5e839d2e303c9c7bd Mon Sep 17 00:00:00 2001
From: Simo Sorce <idra@samba.org>
Date: Sun, 23 Apr 2006 17:22:32 +0000
Subject: r15181: Don't try kerberos sign/seal when in SSL (This used to be
 commit 3be3b1130c41e8e372531c137c46f91c5c0acf98)

---
 source4/libcli/ldap/ldap_bind.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'source4/libcli/ldap/ldap_bind.c')

diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c
index cacb0d150e..585bdbb234 100644
--- a/source4/libcli/ldap/ldap_bind.c
+++ b/source4/libcli/ldap/ldap_bind.c
@@ -25,6 +25,7 @@
 #include "includes.h"
 #include "libcli/ldap/ldap.h"
 #include "libcli/ldap/ldap_client.h"
+#include "lib/tls/tls.h"
 #include "auth/auth.h"
 
 static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *conn, 
@@ -173,7 +174,11 @@ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *cr
 		goto failed;
 	}
 
-	gensec_want_feature(conn->gensec, 0 | GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
+	/* require Kerberos SIGN/SEAL only if we don't use SSL
+	 * Windows seem not to like double encryption */
+	if (conn->tls == NULL || (! tls_enabled(conn->tls))) {
+		gensec_want_feature(conn->gensec, 0 | GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
+	}
 
 	status = gensec_set_credentials(conn->gensec, creds);
 	if (!NT_STATUS_IS_OK(status)) {
-- 
cgit