diff options
Diffstat (limited to 'auth/credentials')
-rw-r--r-- | auth/credentials/credentials.c | 5 | ||||
-rw-r--r-- | auth/credentials/credentials.h | 1 | ||||
-rw-r--r-- | auth/credentials/credentials_secrets.c | 31 | ||||
-rw-r--r-- | auth/credentials/tests/test_creds.c | 37 |
4 files changed, 58 insertions, 16 deletions
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index 20ab858..e563be3 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -146,6 +146,11 @@ _PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct return creds->kerberos_state; } +_PUBLIC_ enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds) +{ + return creds->kerberos_state_obtained; +} + _PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds) { return creds->forced_sasl_mech; diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index 341c984..16eddcc 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -267,6 +267,7 @@ const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cr const char *cli_credentials_get_self_service(struct cli_credentials *cred); const char *cli_credentials_get_target_service(struct cli_credentials *cred); enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds); +enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds); const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *cred); enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds); NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c index 8469d6e..906f3ff 100644 --- a/auth/credentials/credentials_secrets.c +++ b/auth/credentials/credentials_secrets.c @@ -370,13 +370,17 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti } if (secrets_tdb_password_more_recent) { - enum credentials_use_kerberos use_kerberos = - CRED_USE_KERBEROS_DISABLED; char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx)); cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED); cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED); cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); if (strequal(domain, lpcfg_workgroup(lp_ctx))) { + enum credentials_use_kerberos use_kerberos = + cli_credentials_get_kerberos_state(cred); + enum credentials_obtained use_kerberos_obtained = + cli_credentials_get_kerberos_state_obtained(cred); + bool is_ad = false; + cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED); switch (server_role) { @@ -388,13 +392,28 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti FALL_THROUGH; case ROLE_ACTIVE_DIRECTORY_DC: case ROLE_IPA_DC: - use_kerberos = CRED_USE_KERBEROS_DESIRED; + is_ad = true; break; } + + if (use_kerberos != CRED_USE_KERBEROS_DESIRED || is_ad) { + /* + * Keep an explicit selection + * + * For AD domains we also keep + * CRED_USE_KERBEROS_DESIRED + */ + } else if (use_kerberos_obtained <= CRED_SMB_CONF) { + /* + * Disable kerberos by default within + * an NT4 domain. + */ + cli_credentials_set_kerberos_state(cred, + CRED_USE_KERBEROS_DISABLED, + CRED_SMB_CONF); + } } - cli_credentials_set_kerberos_state(cred, - use_kerberos, - CRED_SPECIFIED); + cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct); cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type); diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c index 2cb2e6d..e79f089 100644 --- a/auth/credentials/tests/test_creds.c +++ b/auth/credentials/tests/test_creds.c @@ -227,6 +227,8 @@ static void torture_creds_krb5_state(void **state) TALLOC_CTX *mem_ctx = *state; struct cli_credentials *creds = NULL; struct loadparm_context *lp_ctx = NULL; + enum credentials_obtained kerberos_state_obtained; + enum credentials_use_kerberos kerberos_state; bool ok; lp_ctx = loadparm_init_global(true); @@ -234,18 +236,27 @@ static void torture_creds_krb5_state(void **state) creds = cli_credentials_init(mem_ctx); assert_non_null(creds); - assert_int_equal(creds->kerberos_state_obtained, CRED_UNINITIALISED); - assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED); + kerberos_state_obtained = + cli_credentials_get_kerberos_state_obtained(creds); + kerberos_state = cli_credentials_get_kerberos_state(creds); + assert_int_equal(kerberos_state_obtained, CRED_UNINITIALISED); + assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED); ok = cli_credentials_set_conf(creds, lp_ctx); assert_true(ok); - assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF); - assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED); + kerberos_state_obtained = + cli_credentials_get_kerberos_state_obtained(creds); + kerberos_state = cli_credentials_get_kerberos_state(creds); + assert_int_equal(kerberos_state_obtained, CRED_SMB_CONF); + assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED); ok = cli_credentials_guess(creds, lp_ctx); assert_true(ok); - assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF); - assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED); + kerberos_state_obtained = + cli_credentials_get_kerberos_state_obtained(creds); + kerberos_state = cli_credentials_get_kerberos_state(creds); + assert_int_equal(kerberos_state_obtained, CRED_SMB_CONF); + assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED); assert_int_equal(creds->ccache_obtained, CRED_GUESS_FILE); assert_non_null(creds->ccache); @@ -253,15 +264,21 @@ static void torture_creds_krb5_state(void **state) CRED_USE_KERBEROS_REQUIRED, CRED_SPECIFIED); assert_true(ok); - assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED); - assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED); + kerberos_state_obtained = + cli_credentials_get_kerberos_state_obtained(creds); + kerberos_state = cli_credentials_get_kerberos_state(creds); + assert_int_equal(kerberos_state_obtained, CRED_SPECIFIED); + assert_int_equal(kerberos_state, CRED_USE_KERBEROS_REQUIRED); ok = cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED, CRED_SMB_CONF); assert_false(ok); - assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED); - assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED); + kerberos_state_obtained = + cli_credentials_get_kerberos_state_obtained(creds); + kerberos_state = cli_credentials_get_kerberos_state(creds); + assert_int_equal(kerberos_state_obtained, CRED_SPECIFIED); + assert_int_equal(kerberos_state, CRED_USE_KERBEROS_REQUIRED); } |