gss: samba member server returns incorrect error code with some versions of krb5

As per Simo's comments in https://bugzilla.redhat.com/show_bug.cgi?id=1279249
we need Samba to return the correct thing to the client when gss_accept_sec_context
returns a token along with an error.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11592

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 12 01:44:08 CET 2015 on sn-devel-104

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 33a32c3eda2b0740cb42d06eaadba8037a241244..9c4cce2c2b2ab61e418c9a495523e823efa150de 100644 (file)
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -475,8 +475,17 @@ static NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx,
                                                GSS_C_NO_BUFFER);
                }
 
-               status = NT_STATUS_LOGON_FAILURE;
-               goto done;
+               /*
+                * If we got an output token, make Windows aware of it
+                * by telling it that more processing is needed
+                */
+               if (out_data.length > 0) {
+                       status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+                       /* Fall through to handle the out token */
+               } else {
+                       status = NT_STATUS_LOGON_FAILURE;
+                       goto done;
+               }
        }
 
        /* we may be told to return nothing */