s3: Fall back to raw NTLMSSP for the gss-spnego protocol

This is to handle the mod_auth_ntlm_winbind protocol
sending "Negotiate" to IE, which sends raw NTLMSSP
instead of a SPNEGO wrapped NTLMSSP blob.
(cherry picked from commit 70ab7eb5303a5ff058939541dd5bc1f81113a48e)

Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 7652f2a782559bb0346b0976929b5b5b5377dcbc)

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 0c2546ed6a2e48f953b2a26715a8cd4d7e549617..835c22741763c8ae7677ac2ea409d75501dba376 100644 (file)
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1245,6 +1245,31 @@ static void manage_gss_spnego_request(struct ntlm_auth_state *state,
        }
 
        token = base64_decode_data_blob(buf + 3);
+
+       if ((token.length >= 7)
+           && (strncmp((char *)token.data, "NTLMSSP", 7) == 0)) {
+               char *reply;
+
+               DEBUG(10, ("Could not parse GSS-SPNEGO, trying raw "
+                          "ntlmssp\n"));
+
+               manage_squid_ntlmssp_request_int(state, buf, length,
+                                                talloc_tos(), &reply);
+               if (reply == NULL) {
+                       x_fprintf(x_stdout, "BH Out of memory\n");
+                       return;
+               }
+
+               if (strncmp(reply, "AF ", 3) == 0) {
+                       x_fprintf(x_stdout, "AF * %s\n", reply+3);
+               } else {
+                       x_fprintf(x_stdout, "%s *\n", reply);
+               }
+
+               TALLOC_FREE(reply);
+               return;
+       }
+
        len = spnego_read_data(ctx, token, &request);
        data_blob_free(&token);