From de553b52f2bacf54b57b56216fbb91f9108026be Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 30 Nov 2011 15:17:05 +0100 Subject: [PATCH] s4:gensec/spnego: only try the mechs that match the client given ones Windows-Members of NT4/Samba3 domains, send MechTypes: 1.3.6.1.4.1.311.2.2.10 [NTLMSSP] 1.2.840.48018.1.2.2 [krb5 broken] 1.2.840.113554.1.2.2 [krb5] MechToken for NTLMSSP. This patch makes sure we start NTLMSSP with the given MechToken, instead of trying to pass the NTLMSSP MechToken to the krb5 backend first. As that would fail the authentication with an error instead of trying fallbacks. metze Autobuild-User: Stefan Metzmacher Autobuild-Date: Wed Nov 30 17:03:29 CET 2011 on sn-devel-104 --- source4/auth/gensec/spnego.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c index fd3caaad87f..fae32d8ade4 100644 --- a/source4/auth/gensec/spnego.c +++ b/source4/auth/gensec/spnego.c @@ -428,6 +428,10 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_ uint32_t j; for (j=0; mechType && mechType[j]; j++) { for (i=0; all_sec && all_sec[i].op; i++) { + if (strcmp(mechType[j], all_sec[i].oid) != 0) { + continue; + } + nt_status = gensec_subcontext_start(spnego_state, gensec_security, &spnego_state->sub_sec_security); -- 2.34.1