From 7a73e56dfa2ca8569ffdda0b9738516081889523 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 8 Apr 2016 10:05:38 +0200
Subject: [PATCH] s3:libads: sasl wrapped LDAP connections against with
 kerberos and arcfour-hmac-md5

This fixes a regression in commit 2cb07ba50decdfd6d08271cd2b3d893ff95f5af9
(s3:libads: make use of ads_sasl_spnego_gensec_bind() for GSS-SPNEGO with Kerberos)
that prevents things like 'net ads join' from working against a Windows 2003 domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11804

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/libads/sasl.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 4fcd733..22aa9cf 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -312,7 +312,13 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
 		ads->ldap.out.max_unwrapped = gensec_max_input_size(auth_generic_state->gensec_security);
 
 		ads->ldap.out.sig_size = max_wrapped - ads->ldap.out.max_unwrapped;
-		ads->ldap.in.min_wrapped = ads->ldap.out.sig_size;
+		/*
+		 * Note that we have to truncate this to 0x2C
+		 * (taken from a capture with LDAP unbind), as the
+		 * signature size is not constant for Kerberos with
+		 * arcfour-hmac-md5.
+		 */
+		ads->ldap.in.min_wrapped = MIN(ads->ldap.out.sig_size, 0x2C);
 		ads->ldap.in.max_wrapped = max_wrapped;
 		status = ads_setup_sasl_wrapping(ads, &ads_sasl_gensec_ops, auth_generic_state->gensec_security);
 		if (!ADS_ERR_OK(status)) {
-- 
1.9.1