svn commit: samba r13584 - in
branches/SAMBA_4_0/source/auth/gensec: .
abartlet at samba.org
abartlet at samba.org
Tue Feb 21 00:17:53 GMT 2006
Author: abartlet
Date: 2006-02-21 00:17:52 +0000 (Tue, 21 Feb 2006)
New Revision: 13584
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13584
Log:
Another try at SPNEGO stuff. I need to write a better testsuite for this.
This tries to ensure that when we are a client, we cope with mechs
(like GSSAPI) that only abort (unknown server) at first runtime.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/auth/gensec/spnego.c
Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/spnego.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/spnego.c 2006-02-21 00:07:59 UTC (rev 13583)
+++ branches/SAMBA_4_0/source/auth/gensec/spnego.c 2006-02-21 00:17:52 UTC (rev 13584)
@@ -358,6 +358,10 @@
}
}
+ /* Having tried any optomisitc token from the client (if we
+ * were the server), if we didn't get anywhere, walk our list
+ * in our preference order */
+
if (!spnego_state->sub_sec_security) {
for (i=0; all_sec && all_sec[i].op; i++) {
nt_status = gensec_subcontext_start(spnego_state,
@@ -382,6 +386,25 @@
out_mem_ctx,
null_data_blob,
unwrapped_out);
+
+ /* it is likely that a NULL input token will
+ * not be liked by most server mechs, but if
+ * we are in the client, we want the first
+ * update packet to be able to abort the use
+ * of this mech */
+ if (spnego_state->state_position != SPNEGO_SERVER_START) {
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
+ NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
+ /* Pretend we never started it (lets the first run find some incompatible demand) */
+
+ DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse: %s\n",
+ spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+ talloc_free(spnego_state->sub_sec_security);
+ spnego_state->sub_sec_security = NULL;
+ continue;
+ }
+ }
+
break;
}
}
More information about the samba-cvs
mailing list