r15181: Don't try kerberos sign/seal when in SSL

author Simo Sorce <idra@samba.org>

Sun, 23 Apr 2006 17:22:32 +0000 (17:22 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 19:04:13 +0000 (14:04 -0500)
author Simo Sorce <idra@samba.org>
Sun, 23 Apr 2006 17:22:32 +0000 (17:22 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 19:04:13 +0000 (14:04 -0500)
diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c

index cacb0d150eb05091a6f33daca1721609e76a08d2..585bdbb2343d9bb7a7a64143066ca8e89c735b30 100644 (file)
--- a/source4/libcli/ldap/ldap_bind.c
+++ b/source4/libcli/ldap/ldap_bind.c
@@ -25,6 +25,7 @@
  #include "includes.h"
  #include "libcli/ldap/ldap.h"
  #include "libcli/ldap/ldap_client.h"
+#include "lib/tls/tls.h"
  #include "auth/auth.h"
  
  static struct ldap_message *new_ldap_simple_bind_msg(struct ldap_connection *conn, 
@@ -173,7 +174,11 @@ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *cr
                 goto failed;
         }
  
-       gensec_want_feature(conn->gensec, 0 | GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
+       /* require Kerberos SIGN/SEAL only if we don't use SSL
+        * Windows seem not to like double encryption */
+       if (conn->tls == NULL || (! tls_enabled(conn->tls))) {
+               gensec_want_feature(conn->gensec, 0 | GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
+       }
  
         status = gensec_set_credentials(conn->gensec, creds);
         if (!NT_STATUS_IS_OK(status)) {
author	Simo Sorce <idra@samba.org>
	Sun, 23 Apr 2006 17:22:32 +0000 (17:22 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 19:04:13 +0000 (14:04 -0500)