s4:gensec/spnego: only try the mechs that match the client given ones

Windows-Members of NT4/Samba3 domains, send

MechTypes:
1.3.6.1.4.1.311.2.2.10 [NTLMSSP]
1.2.840.48018.1.2.2    [krb5 broken]
1.2.840.113554.1.2.2   [krb5]

MechToken for NTLMSSP.

This patch makes sure we start NTLMSSP with the given MechToken,
instead of trying to pass the NTLMSSP MechToken to the krb5 backend
first. As that would fail the authentication with an error
instead of trying fallbacks.

metze

Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Wed Nov 30 17:03:29 CET 2011 on sn-devel-104

diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index fd3caaad87f9a55b392f0f477da838b005678610..fae32d8ade48793583c9f2e9ed55cb5530fe40d0 100644 (file)
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -428,6 +428,10 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
                uint32_t j;
                for (j=0; mechType && mechType[j]; j++) {
                        for (i=0; all_sec && all_sec[i].op; i++) {
+                               if (strcmp(mechType[j], all_sec[i].oid) != 0) {
+                                       continue;
+                               }
+
                                nt_status = gensec_subcontext_start(spnego_state,
                                                                    gensec_security,
                                                                    &spnego_state->sub_sec_security);