From: Stefan Metzmacher Date: Fri, 8 Apr 2016 08:05:38 +0000 (+0200) Subject: s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5 X-Git-Tag: samba-4.2.11~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=96331b20e36350056ffb9f52570c3ec7558e4c77;p=thirdparty%2Fsamba.git s3:libads: sasl wrapped LDAP connections against with kerberos and arcfour-hmac-md5 This fixes a regression in commit 2cb07ba50decdfd6d08271cd2b3d893ff95f5af9 (s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos) that prevents things like 'net ads join' from working against a Windows 2003 domain. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804 Signed-off-by: Stefan Metzmacher Reviewed-by: Günther Deschner --- diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 4fcd733681b..22aa9cf4bb7 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -312,7 +312,13 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, ads->ldap.out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security); ads->ldap.out.sig_size = max_wrapped - ads->ldap.out.max_unwrapped; - ads->ldap.in.min_wrapped = ads->ldap.out.sig_size; + /* + * Note that we have to truncate this to 0x2C + * (taken from a capture with LDAP unbind), as the + * signature size is not constant for Kerberos with + * arcfour-hmac-md5. + */ + ads->ldap.in.min_wrapped = MIN(ads->ldap.out.sig_size, 0x2C); ads->ldap.in.max_wrapped = max_wrapped; status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security); if (!ADS_ERR_OK(status)) {