From 899f610fb49f78a5c147f263926d6be3f889e328 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 11 Jan 2005 20:20:27 +0000
Subject: r4692: Make the client SPNEGO code bail out in a couple more cases.

Andrew Bartlett
(This used to be commit a062ac122c402fb2cf31eb8e76f4077b1f33b8eb)
---
 source4/libcli/auth/spnego.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'source4')

diff --git a/source4/libcli/auth/spnego.c b/source4/libcli/auth/spnego.c
index 84bd7ce42c..f7221b7458 100644
--- a/source4/libcli/auth/spnego.c
+++ b/source4/libcli/auth/spnego.c
@@ -686,7 +686,10 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
 
 		if (spnego_state->no_response_expected) {
 			if (spnego.negTokenTarg.negResult != SPNEGO_ACCEPT_COMPLETED) {
-				DEBUG(1,("gensec_update ok but not accepted\n"));
+				DEBUG(3,("GENSEC SPNEGO: client GENSEC accepted, but server rejected (bad password?)\n"));
+				nt_status = NT_STATUS_INVALID_PARAMETER;
+			} else if (spnego.negTokenTarg.responseToken.length) {
+				DEBUG(2,("GENSEC SPNEGO: client GENSEC accepted, but server continued negotiation!\n"));
 				nt_status = NT_STATUS_INVALID_PARAMETER;
 			} else {
 				nt_status = NT_STATUS_OK;
-- 
cgit