svn commit: samba r13584 - in branches/SAMBA_4_0/source/auth/gensec: .

abartlet at samba.org abartlet at samba.org
Tue Feb 21 00:17:53 GMT 2006 

Author: abartlet
Date: 2006-02-21 00:17:52 +0000 (Tue, 21 Feb 2006)
New Revision: 13584

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13584

Log:
Another try at SPNEGO stuff.  I need to write a better testsuite for this.

This tries to ensure that when we are a client, we cope with mechs
(like GSSAPI) that only abort (unknown server) at first runtime.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/spnego.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/spnego.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/spnego.c	2006-02-21 00:07:59 UTC (rev 13583)
+++ branches/SAMBA_4_0/source/auth/gensec/spnego.c	2006-02-21 00:17:52 UTC (rev 13584)
@@ -358,6 +358,10 @@
 		}
 	}
 	
+	/* Having tried any optomisitc token from the client (if we
+	 * were the server), if we didn't get anywhere, walk our list
+	 * in our preference order */
+	
 	if (!spnego_state->sub_sec_security) {
 		for (i=0; all_sec && all_sec[i].op; i++) {
 			nt_status = gensec_subcontext_start(spnego_state,
@@ -382,6 +386,25 @@
 						  out_mem_ctx, 
 						  null_data_blob, 
 						  unwrapped_out);
+
+			/* it is likely that a NULL input token will
+			 * not be liked by most server mechs, but if
+			 * we are in the client, we want the first
+			 * update packet to be able to abort the use
+			 * of this mech */
+			if (spnego_state->state_position != SPNEGO_SERVER_START) {
+				if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) || 
+				    NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
+					/* Pretend we never started it (lets the first run find some incompatible demand) */
+					
+					DEBUG(1, ("SPNEGO(%s) NEG_TOKEN_INIT failed to parse: %s\n", 
+						  spnego_state->sub_sec_security->ops->name, nt_errstr(nt_status)));
+					talloc_free(spnego_state->sub_sec_security);
+					spnego_state->sub_sec_security = NULL;
+					continue;
+				}
+			}
+
 			break;
 		}
 	}

More information about the samba-cvs mailing list