| 1 |
From 7a73e56dfa2ca8569ffdda0b9738516081889523 Mon Sep 17 00:00:00 2001 |
| 2 |
From: Stefan Metzmacher <metze@samba.org> |
| 3 |
Date: Fri, 8 Apr 2016 10:05:38 +0200 |
| 4 |
Subject: [PATCH] s3:libads: sasl wrapped LDAP connections against with |
| 5 |
kerberos and arcfour-hmac-md5 |
| 6 |
|
| 7 |
This fixes a regression in commit 2cb07ba50decdfd6d08271cd2b3d893ff95f5af9 |
| 8 |
(s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos) |
| 9 |
that prevents things like 'net ads join' from working against a Windows 2003 domain. |
| 10 |
|
| 11 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804 |
| 12 |
|
| 13 |
Signed-off-by: Stefan Metzmacher <metze@samba.org> |
| 14 |
--- |
| 15 |
source3/libads/sasl.c | 8 +++++++- |
| 16 |
1 file changed, 7 insertions(+), 1 deletion(-) |
| 17 |
|
| 18 |
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c |
| 19 |
index 4fcd733..22aa9cf 100644 |
| 20 |
--- a/source3/libads/sasl.c |
| 21 |
+++ b/source3/libads/sasl.c |
| 22 |
@@ -312,7 +312,13 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, |
| 23 |
ads->ldap.out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security); |
| 24 |
|
| 25 |
ads->ldap.out.sig_size = max_wrapped - ads->ldap.out.max_unwrapped; |
| 26 |
- ads->ldap.in.min_wrapped = ads->ldap.out.sig_size; |
| 27 |
+ /* |
| 28 |
+ * Note that we have to truncate this to 0x2C |
| 29 |
+ * (taken from a capture with LDAP unbind), as the |
| 30 |
+ * signature size is not constant for Kerberos with |
| 31 |
+ * arcfour-hmac-md5. |
| 32 |
+ */ |
| 33 |
+ ads->ldap.in.min_wrapped = MIN(ads->ldap.out.sig_size, 0x2C); |
| 34 |
ads->ldap.in.max_wrapped = max_wrapped; |
| 35 |
status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security); |
| 36 |
if (!ADS_ERR_OK(status)) { |
| 37 |
-- |
| 38 |
1.9.1 |
| 39 |
|
Parent Directory
| 
Revision Log
| 
Revision Graph
