svn commit: samba r22901 - in branches: SAMBA_3_0/source/nsswitch SAMBA_3_0_25/source/nsswitch SAMBA_3_0_26/source/nsswitch

Tue May 15 13:42:54 GMT 2007

Author: gd
Date: 2007-05-15 13:42:53 +0000 (Tue, 15 May 2007)
New Revision: 22901

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=22901

Log:
When an AD account has UF_DONT_REQUIRE_PREAUTH set we need to fallback to ntlm
in the kerberized PAM_AUTH.

Guenther

Modified:
   branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
   branches/SAMBA_3_0_25/source/nsswitch/winbindd_pam.c
   branches/SAMBA_3_0_26/source/nsswitch/winbindd_pam.c


Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================

--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2007-05-15 12:18:17 UTC (rev 22900)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2007-05-15 13:42:53 UTC (rev 22901)
@@ -566,6 +566,14 @@
 		http_timestring(ticket_lifetime), (int)ticket_lifetime, 
 		http_timestring(renewal_until), (int)renewal_until));
 
+	/* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
+	 * in that case fallback to NTLM - gd */ 
+
+	if ((ticket_lifetime == 0) && (renewal_until == 0)) {
+		result = NT_STATUS_INVALID_LOGON_TYPE;
+		goto failed;
+	}
+
 	client_princ = talloc_strdup(state->mem_ctx, global_myname());
 	if (client_princ == NULL) {
 		result = NT_STATUS_NO_MEMORY;

Modified: branches/SAMBA_3_0_25/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0_25/source/nsswitch/winbindd_pam.c	2007-05-15 12:18:17 UTC (rev 22900)
+++ branches/SAMBA_3_0_25/source/nsswitch/winbindd_pam.c	2007-05-15 13:42:53 UTC (rev 22901)
@@ -579,6 +579,14 @@
 		http_timestring(ticket_lifetime), (int)ticket_lifetime, 
 		http_timestring(renewal_until), (int)renewal_until));
 
+	/* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
+	 * in that case fallback to NTLM - gd */ 
+
+	if ((ticket_lifetime == 0) && (renewal_until == 0)) {
+		result = NT_STATUS_INVALID_LOGON_TYPE;
+		goto failed;
+	}
+
 	client_princ = talloc_strdup(state->mem_ctx, global_myname());
 	if (client_princ == NULL) {
 		result = NT_STATUS_NO_MEMORY;

Modified: branches/SAMBA_3_0_26/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0_26/source/nsswitch/winbindd_pam.c	2007-05-15 12:18:17 UTC (rev 22900)
+++ branches/SAMBA_3_0_26/source/nsswitch/winbindd_pam.c	2007-05-15 13:42:53 UTC (rev 22901)
@@ -594,6 +594,14 @@
 		http_timestring(ticket_lifetime), (int)ticket_lifetime, 
 		http_timestring(renewal_until), (int)renewal_until));
 
+	/* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
+	 * in that case fallback to NTLM - gd */ 
+
+	if ((ticket_lifetime == 0) && (renewal_until == 0)) {
+		result = NT_STATUS_INVALID_LOGON_TYPE;
+		goto failed;
+	}
+
 	client_princ = talloc_strdup(state->mem_ctx, global_myname());
 	if (client_princ == NULL) {
 		result = NT_STATUS_NO_MEMORY;

