#include "auth/credentials/credentials.h"
#include "lib/stream/packet.h"
#include "param/param.h"
+#include "param/loadparm.h"
struct ldap_simple_creds {
const char *dn;
struct ldap_SearchResEntry *search;
int count, i;
bool first = true;
-
+ int wrap_flags = 0;
const char **sasl_names;
uint32_t old_gensec_features;
static const char *supported_sasl_mech_attrs[] = {
gensec_init();
+ if (conn->sockets.active == conn->sockets.tls) {
+ /*
+ * require Kerberos SIGN/SEAL only if we don't use SSL
+ * Windows seem not to like double encryption
+ */
+ wrap_flags = 0;
+ } else if (cli_credentials_is_anonymous(creds)) {
+ /*
+ * anonymous isn't protected
+ */
+ wrap_flags = 0;
+ } else {
+ wrap_flags = lpcfg_client_ldap_sasl_wrapping(lp_ctx);
+ }
+
try_logon_again:
/*
we loop back here on a logon failure, and re-create the
goto failed;
}
- /* require Kerberos SIGN/SEAL only if we don't use SSL
- * Windows seem not to like double encryption */
old_gensec_features = cli_credentials_get_gensec_features(creds);
- if (conn->sockets.active == conn->sockets.tls) {
+ if (wrap_flags == 0) {
cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL));
}
* context, so we don't tatoo it ) */
cli_credentials_set_gensec_features(creds, old_gensec_features);
+ if (wrap_flags & ADS_AUTH_SASL_SEAL) {
+ gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
+ gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL);
+ }
+ if (wrap_flags & ADS_AUTH_SASL_SIGN) {
+ gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
+ }
+
/*
* This is an indication for the NTLMSSP backend to
* also encrypt when only GENSEC_FEATURE_SIGN is requested
git.samba.org / samba.git / commitdiff