From c24c328a9e006473f4dba49fdf1842fb28952ec7 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 24 Jan 2005 20:21:15 +0000
Subject: [PATCH] r4970: Fix for bug 2092, allowing fallback after kerberos and
 allow gnome vfs to prevent auto-anonymous logon. Jeremy. (This used to be
 commit 843e85bcd978d025964c4d45d9a3886c7cf7f63c)

---
 source3/include/client.h       |  1 +
 source3/include/libsmbclient.h |  6 ++++++
 source3/libsmb/cliconnect.c    |  8 ++++++--
 source3/libsmb/libsmbclient.c  | 12 ++++++++++--
 4 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/source3/include/client.h b/source3/include/client.h
index c182544362f..8ae8faf90dc 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -144,6 +144,7 @@ struct cli_state {
 	uint16 max_recv_frag;
 
 	BOOL use_kerberos;
+	BOOL fallback_after_kerberos;
 	BOOL use_spnego;
 
 	BOOL use_oplocks; /* should we use oplocks? */
diff --git a/source3/include/libsmbclient.h b/source3/include/libsmbclient.h
index aaa19cb191b..efb04285a7f 100644
--- a/source3/include/libsmbclient.h
+++ b/source3/include/libsmbclient.h
@@ -455,9 +455,15 @@ struct _SMBCCTX {
 	 * do _NOT_ touch this from your program !
 	 */
 	struct smbc_internal_data * internal;
+
+	int flags;
 	
 };
 
+/* Flags for SMBCCTX->flags */
+#define SMB_CTX_FLAG_USE_KERBEROS (1 << 0)
+#define SMB_CTX_FLAG_FALLBACK_AFTER_KERBEROS (1 << 1)
+#define SMBCCTX_FLAG_NO_AUTO_ANONYMOUS_LOGON (1 << 2) /* don't try to do automatic anon login */
 
 /**@ingroup misc
  * Create a new SBMCCTX (a context).
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 659e1242922..bffe9dfe8a0 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -757,13 +757,17 @@ ADS_STATUS cli_session_setup_spnego(struct cli_state *cli, const char *user,
 			if (ret){
 				SAFE_FREE(principal);
 				DEBUG(0, ("Kinit failed: %s\n", error_message(ret)));
+				if (cli->fallback_after_kerberos)
+					goto ntlmssp;
 				return ADS_ERROR_KRB5(ret);
 			}
 		}
 		
 		rc = cli_session_setup_kerberos(cli, principal, domain);
-		SAFE_FREE(principal);
-		return rc;
+		if (ADS_ERR_OK(rc) || !cli->fallback_after_kerberos) {
+			SAFE_FREE(principal);
+			return rc;
+		}
 	}
 #endif
 
diff --git a/source3/libsmb/libsmbclient.c b/source3/libsmb/libsmbclient.c
index df9c4ddcadc..8eeadc8a783 100644
--- a/source3/libsmb/libsmbclient.c
+++ b/source3/libsmb/libsmbclient.c
@@ -584,6 +584,13 @@ SMBCSRV *smbc_server(SMBCCTX *context,
 		return NULL;
 	}
 
+	if (context->flags & SMB_CTX_FLAG_USE_KERBEROS) {
+		c.use_kerberos = True;
+	}
+	if (context->flags & SMB_CTX_FLAG_FALLBACK_AFTER_KERBEROS) {
+		c.fallback_after_kerberos = True;
+	}
+
 	c.timeout = context->timeout;
 
         /* Force use of port 139 for first try, so browse lists can work */
@@ -648,8 +655,9 @@ SMBCSRV *smbc_server(SMBCCTX *context,
 			       password, strlen(password),
 			       password, strlen(password),
 			       workgroup) &&
-	    /* try an anonymous login if it failed */
-	    !cli_session_setup(&c, "", "", 1,"", 0, workgroup)) {
+			/* Try an anonymous login if it failed and this was allowed by flags. */
+			((context->flags & SMBCCTX_FLAG_NO_AUTO_ANONYMOUS_LOGON) ||
+			!cli_session_setup(&c, "", "", 1,"", 0, workgroup))) {
 		cli_shutdown(&c);
 		errno = EPERM;
 		return NULL;
-- 
2.11.4.GIT