From 3e4d135d9076349c3332030f756d68ad60dec987 Mon Sep 17 00:00:00 2001
From: Richard Sharpe <rsharpe@samba.org>
Date: Tue, 10 Nov 2015 20:50:18 -0800
Subject: [PATCH] gss: samba member server returns incorrect error code with
 some versions of krb5

As per Simo's comments in https://bugzilla.redhat.com/show_bug.cgi?id=1279249
we need Samba to return the correct thing to the client when gss_accept_sec_context
returns a token along with an error.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11592

Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Nov 12 01:44:08 CET 2015 on sn-devel-104

(cherry picked from commit 8936281bcc9bef19ede99146475dd867ed5d3873)
---
 source3/librpc/crypto/gse.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 33a32c3..9c4cce2 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -475,8 +475,17 @@ static NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx,
 						GSS_C_NO_BUFFER);
 		}
 
-		status = NT_STATUS_LOGON_FAILURE;
-		goto done;
+		/*
+		 * If we got an output token, make Windows aware of it
+		 * by telling it that more processing is needed
+		 */
+		if (out_data.length > 0) {
+			status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+			/* Fall through to handle the out token */
+		} else {
+			status = NT_STATUS_LOGON_FAILURE;
+			goto done;
+		}
 	}
 
 	/* we may be told to return nothing */
-- 
2.6.0.rc2.230.g3dd15c0