gensec: Add an option emulating another mode a client building GSSAPI/krb5 manually...

This was seen in the wild, with a Huawei Unified Storage System S5500 V3 against the AD DC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11425
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index b1ecd18304a5e02c7ab34e77f64a0be71f9efeab..56513c9e5d2c9aa9314f50b78eaa1efbed2db8bc 100644 (file)
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -286,8 +286,15 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
        const char *principal;
        const char *hostname;
        krb5_data in_data;
+       krb5_data *in_data_p = NULL;
        struct tevent_context *previous_ev;
 
+       if (lpcfg_parm_bool(gensec_security->settings->lp_ctx,
+                           NULL, "gensec_krb5", "send_authenticator_checksum", true)) {
+               in_data.length = 0;
+               in_data_p = &in_data;
+       }
+       
        gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
 
        principal = gensec_get_target_principal(gensec_security);
@@ -313,7 +320,6 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
                DEBUG(1, ("gensec_krb5_start: Aquiring initiator credentials failed: %s\n", error_string));
                return NT_STATUS_UNSUCCESSFUL;
        }
-       in_data.length = 0;
        
        /* Do this every time, in case we have weird recursive issues here */
        ret = smb_krb5_context_set_event_ctx(gensec_krb5_state->smb_krb5_context, ev, &previous_ev);
@@ -330,7 +336,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
                                                &gensec_krb5_state->auth_context,
                                                gensec_krb5_state->ap_req_options, 
                                                target_principal,
-                                               &in_data, ccache_container->ccache, 
+                                               in_data_p, ccache_container->ccache, 
                                                &gensec_krb5_state->enc_ticket);
                        krb5_free_principal(gensec_krb5_state->smb_krb5_context->krb5_context, 
                                            target_principal);
@@ -341,7 +347,7 @@ static NTSTATUS gensec_krb5_common_client_creds(struct gensec_security *gensec_s
                                  gensec_krb5_state->ap_req_options,
                                  gensec_get_target_service(gensec_security),
                                  hostname,
-                                 &in_data, ccache_container->ccache, 
+                                 in_data_p, ccache_container->ccache, 
                                  &gensec_krb5_state->enc_ticket);
        }