git.samba.org / nivanova / samba-autobuild / .git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
s3-auth: Use the gensec-supplied DNS domain name and hostname.
[nivanova/samba-autobuild/.git] / auth / gensec / gensec_start.c
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 08b2fb68cb14b01e64e6a81c5480a3ea8acdba05..d3145ec581d2a5c2755955bf591d31d3792e922e 100644 (file)
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -50,7 +50,22 @@ bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_
 /* Sometimes we want to force only kerberos, sometimes we want to
  * force it's avoidance.  The old list could be either
  * gensec_security_all(), or from cli_credentials_gensec_list() (ie,
- * an existing list we have trimmed down) */
+ * an existing list we have trimmed down)
+ *
+ * The intended logic is:
+ *
+ * if we are in the default AUTO have kerberos:
+ * - take a reference to the master list
+ * otherwise
+ * - always add spnego then:
+ * - if we 'MUST' have kerberos:
+ *   only add kerberos mechs
+ * - if we 'DONT' want kerberos':
+ *   only add non-kerberos mechs
+ *
+ * Once we get things like NegoEx or moonshot, this will of course get
+ * more compplex.
+ */
 
 _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
                                                       struct gensec_security_ops **old_gensec_list,
@@ -83,14 +98,18 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
        j = 0;
        for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
                int oid_idx;
-
+               bool found_spnego = false;
                for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) {
                        if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) {
                                new_gensec_list[j] = old_gensec_list[i];
                                j++;
+                               found_spnego = true;
                                break;
                        }
                }
+               if (found_spnego) {
+                       continue;
+               }
                switch (use_kerberos) {
                case CRED_DONT_USE_KERBEROS:
                        if (old_gensec_list[i]->kerberos == false) {
Unnamed repository; edit this file 'description' to name the repository.