svn commit: samba r21273 - in branches: SAMBA_3_0/source/libads
SAMBA_3_0_25/source/libads
jerry at samba.org
jerry at samba.org
Sat Feb 10 20:29:10 GMT 2007
Author: jerry
Date: 2007-02-10 20:29:09 +0000 (Sat, 10 Feb 2007)
New Revision: 21273
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21273
Log:
* Protect the sasl bind against a NULL principal string
in the SPNEGO negTokenInit
Modified:
branches/SAMBA_3_0/source/libads/sasl.c
branches/SAMBA_3_0_25/source/libads/sasl.c
Changeset:
Modified: branches/SAMBA_3_0/source/libads/sasl.c
===================================================================
--- branches/SAMBA_3_0/source/libads/sasl.c 2007-02-10 19:44:16 UTC (rev 21272)
+++ branches/SAMBA_3_0/source/libads/sasl.c 2007-02-10 20:29:09 UTC (rev 21273)
@@ -223,7 +223,35 @@
#ifdef HAVE_KRB5
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
- got_kerberos_mechanism) {
+ got_kerberos_mechanism)
+ {
+ /* I've seen a child Windows 2000 domain not send
+ the principal name back in the first round of
+ the SASL bind reply. So we guess based on server
+ name and realm. --jerry */
+ if ( !principal ) {
+ if ( ads->server.realm && ads->server.ldap_server ) {
+ char *server, *server_realm;
+
+ server = SMB_STRDUP( ads->server.ldap_server );
+ server_realm = SMB_STRDUP( ads->server.realm );
+
+ if ( !server || !server_realm )
+ return ADS_ERROR(LDAP_NO_MEMORY);
+
+ strlower_m( server );
+ strupper_m( server_realm );
+ asprintf( &principal, "ldap/%s@%s", server, server_realm );
+
+ SAFE_FREE( server );
+ SAFE_FREE( server_realm );
+
+ if ( !principal )
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ }
+
status = ads_sasl_spnego_krb5_bind(ads, principal);
if (ADS_ERR_OK(status)) {
SAFE_FREE(principal);
Modified: branches/SAMBA_3_0_25/source/libads/sasl.c
===================================================================
--- branches/SAMBA_3_0_25/source/libads/sasl.c 2007-02-10 19:44:16 UTC (rev 21272)
+++ branches/SAMBA_3_0_25/source/libads/sasl.c 2007-02-10 20:29:09 UTC (rev 21273)
@@ -223,7 +223,35 @@
#ifdef HAVE_KRB5
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
- got_kerberos_mechanism) {
+ got_kerberos_mechanism)
+ {
+ /* I've seen a child Windows 2000 domain not send
+ the principal name back in the first round of
+ the SASL bind reply. So we guess based on server
+ name and realm. --jerry */
+ if ( !principal ) {
+ if ( ads->server.realm && ads->server.ldap_server ) {
+ char *server, *server_realm;
+
+ server = SMB_STRDUP( ads->server.ldap_server );
+ server_realm = SMB_STRDUP( ads->server.realm );
+
+ if ( !server || !server_realm )
+ return ADS_ERROR(LDAP_NO_MEMORY);
+
+ strlower_m( server );
+ strupper_m( server_realm );
+ asprintf( &principal, "ldap/%s@%s", server, server_realm );
+
+ SAFE_FREE( server );
+ SAFE_FREE( server_realm );
+
+ if ( !principal )
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ }
+
status = ads_sasl_spnego_krb5_bind(ads, principal);
if (ADS_ERR_OK(status)) {
SAFE_FREE(principal);
More information about the samba-cvs
mailing list