Only reply with the Negotiate set if the gss_accept_sec_context returned data

for the client. Otherwise the client received an Negotiate header and tried to
authenticate using GSSAPI again and again, which is annoying when the user in
question pass the authentication but isn't authorized.

diff --git a/src/mod_auth_kerb.c b/src/mod_auth_kerb.c
index 4b5505d..3b5393f 100644 (file)
--- a/src/mod_auth_kerb.c
+++ b/src/mod_auth_kerb.c
@@ -1285,6 +1285,7 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
                "GSS-API token of length %d bytes will be sent back",
                output_token.length);
      gss_release_buffer(&minor_status2, &output_token);
+     set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value);
   }
 
   if (GSS_ERROR(major_status)) {
@@ -1327,9 +1328,6 @@ authenticate_user_gss(request_rec *r, kerb_auth_config *conf,
   if (conf->krb_save_credentials && delegated_cred != GSS_C_NO_CREDENTIAL)
      store_gss_creds(r, conf, (char *)output_token.value, delegated_cred);
 
-  if (*negotiate_ret_value)
-     set_kerb_auth_headers(r, conf, 0, 0, *negotiate_ret_value);
-
   gss_release_buffer(&minor_status, &output_token);
 
   ret = OK;