s3: Fall back to raw NTLMSSP for the gss-spnego protocol

This is to handle the mod_auth_ntlm_winbind protocol
sending "Negotiate" to IE, which sends raw NTLMSSP
instead of a SPNEGO wrapped NTLMSSP blob.

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index aa3e3846644262c0fbb42c5cae78b8c9f35f60f3..0370b0d64aacdd2865ef1e7cf27d4a9e51de9a3d 100644 (file)
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1274,6 +1274,31 @@ static void manage_gss_spnego_request(struct ntlm_auth_state *state,
        }
 
        token = base64_decode_data_blob(buf + 3);
+
+       if ((token.length >= 7)
+           && (strncmp((char *)token.data, "NTLMSSP", 7) == 0)) {
+               char *reply;
+
+               DEBUG(10, ("Could not parse GSS-SPNEGO, trying raw "
+                          "ntlmssp\n"));
+
+               manage_squid_ntlmssp_request_int(state, buf, length,
+                                                talloc_tos(), &reply);
+               if (reply == NULL) {
+                       x_fprintf(x_stdout, "BH Out of memory\n");
+                       return;
+               }
+
+               if (strncmp(reply, "AF ", 3) == 0) {
+                       x_fprintf(x_stdout, "AF * %s\n", reply+3);
+               } else {
+                       x_fprintf(x_stdout, "%s *\n", reply);
+               }
+
+               TALLOC_FREE(reply);
+               return;
+       }
+
        len = spnego_read_data(ctx, token, &request);
        data_blob_free(&token);