summaryrefslogtreecommitdiffstats
path: root/auth/credentials
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--auth/credentials/credentials.c5
-rw-r--r--auth/credentials/credentials.h1
-rw-r--r--auth/credentials/credentials_secrets.c31
-rw-r--r--auth/credentials/tests/test_creds.c37
4 files changed, 58 insertions, 16 deletions
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 20ab858..e563be3 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -146,6 +146,11 @@ _PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct
return creds->kerberos_state;
}
+_PUBLIC_ enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds)
+{
+ return creds->kerberos_state_obtained;
+}
+
_PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds)
{
return creds->forced_sasl_mech;
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 341c984..16eddcc 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -267,6 +267,7 @@ const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cr
const char *cli_credentials_get_self_service(struct cli_credentials *cred);
const char *cli_credentials_get_target_service(struct cli_credentials *cred);
enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
+enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds);
const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *cred);
enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 8469d6e..906f3ff 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -370,13 +370,17 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
}
if (secrets_tdb_password_more_recent) {
- enum credentials_use_kerberos use_kerberos =
- CRED_USE_KERBEROS_DISABLED;
char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
if (strequal(domain, lpcfg_workgroup(lp_ctx))) {
+ enum credentials_use_kerberos use_kerberos =
+ cli_credentials_get_kerberos_state(cred);
+ enum credentials_obtained use_kerberos_obtained =
+ cli_credentials_get_kerberos_state_obtained(cred);
+ bool is_ad = false;
+
cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
switch (server_role) {
@@ -388,13 +392,28 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
FALL_THROUGH;
case ROLE_ACTIVE_DIRECTORY_DC:
case ROLE_IPA_DC:
- use_kerberos = CRED_USE_KERBEROS_DESIRED;
+ is_ad = true;
break;
}
+
+ if (use_kerberos != CRED_USE_KERBEROS_DESIRED || is_ad) {
+ /*
+ * Keep an explicit selection
+ *
+ * For AD domains we also keep
+ * CRED_USE_KERBEROS_DESIRED
+ */
+ } else if (use_kerberos_obtained <= CRED_SMB_CONF) {
+ /*
+ * Disable kerberos by default within
+ * an NT4 domain.
+ */
+ cli_credentials_set_kerberos_state(cred,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SMB_CONF);
+ }
}
- cli_credentials_set_kerberos_state(cred,
- use_kerberos,
- CRED_SPECIFIED);
+
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);
diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c
index 2cb2e6d..e79f089 100644
--- a/auth/credentials/tests/test_creds.c
+++ b/auth/credentials/tests/test_creds.c
@@ -227,6 +227,8 @@ static void torture_creds_krb5_state(void **state)
TALLOC_CTX *mem_ctx = *state;
struct cli_credentials *creds = NULL;
struct loadparm_context *lp_ctx = NULL;
+ enum credentials_obtained kerberos_state_obtained;
+ enum credentials_use_kerberos kerberos_state;
bool ok;
lp_ctx = loadparm_init_global(true);
@@ -234,18 +236,27 @@ static void torture_creds_krb5_state(void **state)
creds = cli_credentials_init(mem_ctx);
assert_non_null(creds);
- assert_int_equal(creds->kerberos_state_obtained, CRED_UNINITIALISED);
- assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED);
+ kerberos_state_obtained =
+ cli_credentials_get_kerberos_state_obtained(creds);
+ kerberos_state = cli_credentials_get_kerberos_state(creds);
+ assert_int_equal(kerberos_state_obtained, CRED_UNINITIALISED);
+ assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED);
ok = cli_credentials_set_conf(creds, lp_ctx);
assert_true(ok);
- assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF);
- assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED);
+ kerberos_state_obtained =
+ cli_credentials_get_kerberos_state_obtained(creds);
+ kerberos_state = cli_credentials_get_kerberos_state(creds);
+ assert_int_equal(kerberos_state_obtained, CRED_SMB_CONF);
+ assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED);
ok = cli_credentials_guess(creds, lp_ctx);
assert_true(ok);
- assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF);
- assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED);
+ kerberos_state_obtained =
+ cli_credentials_get_kerberos_state_obtained(creds);
+ kerberos_state = cli_credentials_get_kerberos_state(creds);
+ assert_int_equal(kerberos_state_obtained, CRED_SMB_CONF);
+ assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED);
assert_int_equal(creds->ccache_obtained, CRED_GUESS_FILE);
assert_non_null(creds->ccache);
@@ -253,15 +264,21 @@ static void torture_creds_krb5_state(void **state)
CRED_USE_KERBEROS_REQUIRED,
CRED_SPECIFIED);
assert_true(ok);
- assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED);
- assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED);
+ kerberos_state_obtained =
+ cli_credentials_get_kerberos_state_obtained(creds);
+ kerberos_state = cli_credentials_get_kerberos_state(creds);
+ assert_int_equal(kerberos_state_obtained, CRED_SPECIFIED);
+ assert_int_equal(kerberos_state, CRED_USE_KERBEROS_REQUIRED);
ok = cli_credentials_set_kerberos_state(creds,
CRED_USE_KERBEROS_DISABLED,
CRED_SMB_CONF);
assert_false(ok);
- assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED);
- assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED);
+ kerberos_state_obtained =
+ cli_credentials_get_kerberos_state_obtained(creds);
+ kerberos_state = cli_credentials_get_kerberos_state(creds);
+ assert_int_equal(kerberos_state_obtained, CRED_SPECIFIED);
+ assert_int_equal(kerberos_state, CRED_USE_KERBEROS_REQUIRED);
}