#include "includes.h"
-#ifdef HAVE_ADS
+#ifdef HAVE_LDAP
/*
perform a LDAP/SASL/SPNEGO/NTLMSSP bind (just how many layers can
uint32 neg_flags;
struct berval cred, *scred;
ADS_STATUS status;
- extern pstring global_myname;
int rc;
+ if (!ads->auth.password) {
+ /* No password, don't segfault below... */
+ return ADS_ERROR_NT(NT_STATUS_LOGON_FAILURE);
+ }
+
neg_flags = NTLMSSP_NEGOTIATE_UNICODE |
NTLMSSP_NEGOTIATE_128 |
NTLMSSP_NEGOTIATE_NTLM;
nthash, 24,
lp_workgroup(),
ads->auth.user_name,
- global_myname,
+ global_myname(),
sess_key, 16,
neg_flags);
}
DEBUG(3,("got principal=%s\n", principal));
+#ifdef HAVE_KRB5
if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
- got_kerberos_mechanism && ads_kinit_password(ads) == 0) {
- return ads_sasl_spnego_krb5_bind(ads, principal);
+ got_kerberos_mechanism) {
+ status = ads_sasl_spnego_krb5_bind(ads, principal);
+ if (ADS_ERR_OK(status))
+ return status;
+ if (ads_kinit_password(ads) == 0) {
+ status = ads_sasl_spnego_krb5_bind(ads, principal);
+ }
+ if (ADS_ERR_OK(status))
+ return status;
}
+#endif
/* lets do NTLMSSP ... this has the big advantage that we don't need
to sync clocks, and we don't rely on special versions of the krb5