return NT_STATUS_INVALID_PARAMETER;
}
- /* Having tried any optimistic token from the client (if we
- * were the server), if we didn't get anywhere, walk our list
- * in our preference order */
- unwrapped_in = data_blob_null;
-
- if (!spnego_state->sub_sec_security) {
- for (i=0; all_sec && all_sec[i].op; i++) {
- nt_status = gensec_subcontext_start(spnego_state,
- gensec_security,
- &spnego_state->sub_sec_security);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
- /* select the sub context */
- nt_status = gensec_start_mech_by_ops(spnego_state->sub_sec_security,
- all_sec[i].op);
- if (!NT_STATUS_IS_OK(nt_status)) {
- /*
- * Pretend we never started it.
- */
- gensec_spnego_update_sub_abort(spnego_state);
- continue;
- }
-
- spnego_state->neg_oid = all_sec[i].oid;
-
- /* only get the helping start blob for the first OID */
- nt_status = gensec_update_ev(spnego_state->sub_sec_security,
- out_mem_ctx,
- ev,
- unwrapped_in,
- unwrapped_out);
- if (NT_STATUS_IS_OK(nt_status)) {
- spnego_state->sub_sec_ready = true;
- }
-
- /* it is likely that a NULL input token will
- * not be liked by most server mechs, but if
- * we are in the client, we want the first
- * update packet to be able to abort the use
- * of this mech */
- if (spnego_state->state_position != SPNEGO_SERVER_START) {
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_PARAMETER) ||
- NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_LOGON_SERVERS) ||
- NT_STATUS_EQUAL(nt_status, NT_STATUS_TIME_DIFFERENCE_AT_DC) ||
- NT_STATUS_EQUAL(nt_status, NT_STATUS_CANT_ACCESS_DOMAIN_INFO)) {
- const char *next = NULL;
- const char *principal = NULL;
- int dbg_level = DBGLVL_WARNING;
-
- if (all_sec[i+1].op != NULL) {
- next = all_sec[i+1].op->name;
- dbg_level = DBGLVL_NOTICE;
- }
-
- if (gensec_security->target.principal != NULL) {
- principal = gensec_security->target.principal;
- } else if (gensec_security->target.service != NULL &&
- gensec_security->target.hostname != NULL)
- {
- principal = talloc_asprintf(spnego_state->sub_sec_security,
- "%s/%s",
- gensec_security->target.service,
- gensec_security->target.hostname);
- } else {
- principal = gensec_security->target.hostname;
- }
-
- DEBUG(dbg_level, ("SPNEGO(%s) creating NEG_TOKEN_INIT for %s failed (next[%s]): %s\n",
- spnego_state->sub_sec_security->ops->name,
- principal,
- next, nt_errstr(nt_status)));
-
- /*
- * Pretend we never started it.
- */
- gensec_spnego_update_sub_abort(spnego_state);
- continue;
- }
- }
-
- break;
- }
- }
-
if (spnego_state->sub_sec_security) {
/* it is likely that a NULL input token will
* not be liked by most server mechs, but this