s4-gensec: fixed a GSSAPI SASL negotiation bug

Fixed a bug that affected mismatched negotiation between the GSSAPI
layer and the SASL SSF subsequent negotiation. This caused some ldap
clients to hang when trying to authentication with a Samba LDAP
server. The client thought the connection should be signed, the server
thought it should be in plain text

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index d2f19e961e2135f04418bcc7d582ed4ab8f34df2..a864bca49b19b77d878224948050f03d88c8619c 100644 (file)
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -777,25 +777,28 @@ static NTSTATUS gensec_gssapi_update(struct gensec_security *gensec_security,
                /* first byte is the proposed security */
                security_accepted = maxlength_accepted[0];
                maxlength_accepted[0] = '\0';
-               
+
                /* Rest is the proposed max wrap length */
                gensec_gssapi_state->max_wrap_buf_size = MIN(RIVAL(maxlength_accepted, 0), 
                                                             gensec_gssapi_state->max_wrap_buf_size);
 
                gensec_gssapi_state->sasl_protection = 0;
-               if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-                       if (security_accepted & NEG_SEAL) {
-                               gensec_gssapi_state->sasl_protection |= NEG_SEAL;
+               if (security_accepted & NEG_SEAL) {
+                       if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+                               DEBUG(1, ("Remote client wanted seal, but gensec refused\n"));
+                               return NT_STATUS_ACCESS_DENIED;
                        }
-               } else if (gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-                       if (security_accepted & NEG_SIGN) {
-                               gensec_gssapi_state->sasl_protection |= NEG_SIGN;
+                       gensec_gssapi_state->sasl_protection |= NEG_SEAL;
+               }
+               if (security_accepted & NEG_SIGN) {
+                       if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+                               DEBUG(1, ("Remote client wanted sign, but gensec refused\n"));
+                               return NT_STATUS_ACCESS_DENIED;
                        }
-               } else if (security_accepted & NEG_NONE) {
+                       gensec_gssapi_state->sasl_protection |= NEG_SIGN;
+               }
+               if (security_accepted & NEG_NONE) {
                        gensec_gssapi_state->sasl_protection |= NEG_NONE;
-               } else {
-                       DEBUG(1, ("Remote client does not support unprotected connections, but we failed to negotiate anything better"));
-                       return NT_STATUS_ACCESS_DENIED;
                }
 
                /* quirk:  This changes the value that gensec_have_feature returns, to be that after SASL negotiation */