Supporting only Kerberos as an auth mech ...
abartlet at samba.org
Thu Sep 5 07:25:49 CEST 2013
On Wed, 2013-09-04 at 22:23 -0700, Richard Sharpe wrote:
> After some discussion with someone, I wondered if the following would
> work to ensure that only KRB5 was offered and etc ...
> diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
> index e15c87e..98e6cc5 100644
> --- a/source3/auth/auth_generic.c
> +++ b/source3/auth/auth_generic.c
> @@ -275,7 +275,8 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
> backends[idx++] = &gensec_gse_krb5_security_ops;
> - backends[idx++] = gensec_security_by_oid(NULL,
> + if (!lp_kerberos_only())
> + backends[idx++] = gensec_security_by_oid(NULL,
> backends[idx++] = gensec_security_by_oid(NULL,
No, you would also need to ensure we did not proceed if the user did not
select extended security/spnego, and so we processed raw NTLM. But it
is a good first step for the smbd codebase.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
More information about the samba-technical