1 |
vip-ire |
1.1 |
From 7a73e56dfa2ca8569ffdda0b9738516081889523 Mon Sep 17 00:00:00 2001 |
2 |
|
|
From: Stefan Metzmacher <metze@samba.org> |
3 |
|
|
Date: Fri, 8 Apr 2016 10:05:38 +0200 |
4 |
|
|
Subject: [PATCH] s3:libads: sasl wrapped LDAP connections against with |
5 |
|
|
kerberos and arcfour-hmac-md5 |
6 |
|
|
|
7 |
|
|
This fixes a regression in commit 2cb07ba50decdfd6d08271cd2b3d893ff95f5af9 |
8 |
|
|
(s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos) |
9 |
|
|
that prevents things like 'net ads join' from working against a Windows 2003 domain. |
10 |
|
|
|
11 |
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804 |
12 |
|
|
|
13 |
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
14 |
|
|
--- |
15 |
|
|
source3/libads/sasl.c | 8 +++++++- |
16 |
|
|
1 file changed, 7 insertions(+), 1 deletion(-) |
17 |
|
|
|
18 |
|
|
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c |
19 |
|
|
index 4fcd733..22aa9cf 100644 |
20 |
|
|
--- a/source3/libads/sasl.c |
21 |
|
|
+++ b/source3/libads/sasl.c |
22 |
|
|
@@ -312,7 +312,13 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, |
23 |
|
|
ads->ldap.out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security); |
24 |
|
|
|
25 |
|
|
ads->ldap.out.sig_size = max_wrapped - ads->ldap.out.max_unwrapped; |
26 |
|
|
- ads->ldap.in.min_wrapped = ads->ldap.out.sig_size; |
27 |
|
|
+ /* |
28 |
|
|
+ * Note that we have to truncate this to 0x2C |
29 |
|
|
+ * (taken from a capture with LDAP unbind), as the |
30 |
|
|
+ * signature size is not constant for Kerberos with |
31 |
|
|
+ * arcfour-hmac-md5. |
32 |
|
|
+ */ |
33 |
|
|
+ ads->ldap.in.min_wrapped = MIN(ads->ldap.out.sig_size, 0x2C); |
34 |
|
|
ads->ldap.in.max_wrapped = max_wrapped; |
35 |
|
|
status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security); |
36 |
|
|
if (!ADS_ERR_OK(status)) { |
37 |
|
|
-- |
38 |
|
|
1.9.1 |
39 |
|
|
|