From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 9 May 2018 11:30:13 +0000 (+0200)
Subject: auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal option
X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=7f2bebf09cd8056b3f901dd9ff1fc9e9525f3e9d;hp=5ebe3183fded1ab060ed60baeedeac859d0c137e;p=metze%2Fsamba%2Fwip.git

auth/ntlmssp: add ntlmssp_client:ldap_style_send_seal option

This will be used to similate a Windows client only
using NTLMSSP_NEGOTIATE_SIGN without NTLMSSP_NEGOTIATE_SEAL
on an LDAP connection, which is indicated internally by
GENSEC_FEATURE_LDAP_STYLE.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13427

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index 7dcf23569416..ab406a2c5be9 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -869,13 +869,23 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
 			 * is requested.
 			 */
 			ntlmssp_state->force_wrap_seal = true;
-			/*
-			 * We want also work against old Samba servers
-			 * which didn't had GENSEC_FEATURE_LDAP_STYLE
-			 * we negotiate SEAL too. We may remove this
-			 * in a few years. As all servers should have
-			 * GENSEC_FEATURE_LDAP_STYLE by then.
-			 */
+		}
+	}
+	if (ntlmssp_state->force_wrap_seal) {
+		bool ret;
+
+		/*
+		 * We want also work against old Samba servers
+		 * which didn't had GENSEC_FEATURE_LDAP_STYLE
+		 * we negotiate SEAL too. We may remove this
+		 * in a few years. As all servers should have
+		 * GENSEC_FEATURE_LDAP_STYLE by then.
+		 */
+		ret = gensec_setting_bool(gensec_security->settings,
+					  "ntlmssp_client",
+					  "ldap_style_send_seal",
+					  true);
+		if (ret) {
 			ntlmssp_state->required_flags |= NTLMSSP_NEGOTIATE_SEAL;
 		}
 	}