auth/gensec: only require GENSEC_FEATURE_SIGN for DCERPC_AUTH_LEVEL_INTEGRITY as...

On the server this check is deferred to the first request.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 1e616277dad41c9d1c9f28af1974a05061b779b1..89a7a9b1ea5ef8e3b70dfbfb437c21afb90f3c7a 100644 (file)
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -742,7 +742,9 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
        gensec_want_feature(gensec_security, GENSEC_FEATURE_DCE_STYLE);
        gensec_want_feature(gensec_security, GENSEC_FEATURE_ASYNC_REPLIES);
        if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
-               gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
+               if (gensec_security->gensec_role == GENSEC_CLIENT) {
+                       gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
+               }
        } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
                gensec_want_feature(gensec_security, GENSEC_FEATURE_SIGN);
                gensec_want_feature(gensec_security, GENSEC_FEATURE_SEAL);