From 8ddf3166d488f36c53f80080f7f17c78831080bc Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 12 May 2017 11:05:15 +0200
Subject: auth/spnego: always announce GENSEC_FEATURE_SIGN_PKT_HEADER support.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 auth/gensec/spnego.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'auth')

diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 645c8b2e087..ed7f3d71d68 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -1632,6 +1632,20 @@ static bool gensec_spnego_have_feature(struct gensec_security *gensec_security,
 				       uint32_t feature) 
 {
 	struct spnego_state *spnego_state = (struct spnego_state *)gensec_security->private_data;
+
+	if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+		/*
+		 * All mechs with sub (child) mechs need to provide DCERPC
+		 * header signing! This is required because the negotiation
+		 * of header signing is done before the authentication
+		 * is completed.
+		 *
+		 * Currently all our backends support DCERPC with:
+		 * GENSEC_FEATURE_SIGN_PKT_HEADER.
+		 */
+		return true;
+	}
+
 	if (!spnego_state->sub_sec_security) {
 		return false;
 	}
-- 
cgit v1.2.1