Supporting only Kerberos as an auth mech ...
Andrew Bartlett
abartlet at samba.org
Thu Sep 5 07:25:49 CEST 2013
On Wed, 2013-09-04 at 22:23 -0700, Richard Sharpe wrote:
> Hi,
>
> After some discussion with someone, I wondered if the following would
> work to ensure that only KRB5 was offered and etc ...
>
> diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
> index e15c87e..98e6cc5 100644
> --- a/source3/auth/auth_generic.c
> +++ b/source3/auth/auth_generic.c
> @@ -275,7 +275,8 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
> backends[idx++] = &gensec_gse_krb5_security_ops;
> #endif
>
> - backends[idx++] = gensec_security_by_oid(NULL,
> GENSEC_OID_NTLMSSP);
> + if (!lp_kerberos_only())
> + backends[idx++] = gensec_security_by_oid(NULL,
> GENSEC_OID_NTLMSSP);
>
> backends[idx++] = gensec_security_by_oid(NULL,
> GENSEC_OID_SPNEGO);
No, you would also need to ensure we did not proceed if the user did not
select extended security/spnego, and so we processed raw NTLM. But it
is a good first step for the smbd codebase.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
More information about the samba-technical
mailing list