From 12d4dd28a5de1bafbd982ce0043d73dd5a49c3bf Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 29 Oct 2005 13:13:52 +0000
Subject: r11394: Allow KDC unreachable as another 'forget about gssapi' error
 on SPNEGO.

Andrew Bartlett
(This used to be commit da24074860cb7029ef0ff45105170642174f45c1)
---
 source4/auth/gensec/gensec_gssapi.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'source4')

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 8c0eb23546..d59d19c636 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -430,6 +430,10 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
 	    && (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, 
 		       gensec_gssapi_state->gss_oid->length) == 0)) {
 		switch (min_stat) {
+		case KRB5_KDC_UNREACH:
+			DEBUG(3, ("Cannot reach a KDC we require: %s\n",
+				  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
+			return NT_STATUS_INVALID_PARAMETER; /* Make SPNEGO ignore us, we can't go any further here */
 		case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
 			DEBUG(3, ("Server is not registered with our KDC: %s\n", 
 				  gssapi_error_string(gensec_gssapi_state, maj_stat, min_stat)));
-- 
cgit