From 31bdcfe4b647c8c783efa32da3c333b5f166a42d Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Thu, 20 Jun 2024 06:07:27 +0200
Subject: Adding upstream version 2:4.20.2+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 auth/credentials/credentials.c         |  5 +++++
 auth/credentials/credentials.h         |  1 +
 auth/credentials/credentials_secrets.c | 31 ++++++++++++++++++++++------
 auth/credentials/tests/test_creds.c    | 37 +++++++++++++++++++++++++---------
 4 files changed, 58 insertions(+), 16 deletions(-)

(limited to 'auth/credentials')

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 20ab858..e563be3 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -146,6 +146,11 @@ _PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct
 	return creds->kerberos_state;
 }
 
+_PUBLIC_ enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds)
+{
+	return creds->kerberos_state_obtained;
+}
+
 _PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds)
 {
 	return creds->forced_sasl_mech;
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 341c984..16eddcc 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -267,6 +267,7 @@ const char *cli_credentials_get_impersonate_principal(struct cli_credentials *cr
 const char *cli_credentials_get_self_service(struct cli_credentials *cred);
 const char *cli_credentials_get_target_service(struct cli_credentials *cred);
 enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds);
+enum credentials_obtained cli_credentials_get_kerberos_state_obtained(struct cli_credentials *creds);
 const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *cred);
 enum credentials_krb_forwardable cli_credentials_get_krb_forwardable(struct cli_credentials *creds);
 NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 8469d6e..906f3ff 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -370,13 +370,17 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
 	}
 
 	if (secrets_tdb_password_more_recent) {
-		enum credentials_use_kerberos use_kerberos =
-			CRED_USE_KERBEROS_DISABLED;
 		char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
 		cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
 		cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
 		cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
 		if (strequal(domain, lpcfg_workgroup(lp_ctx))) {
+			enum credentials_use_kerberos use_kerberos =
+				cli_credentials_get_kerberos_state(cred);
+			enum credentials_obtained use_kerberos_obtained =
+				cli_credentials_get_kerberos_state_obtained(cred);
+			bool is_ad = false;
+
 			cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
 
 			switch (server_role) {
@@ -388,13 +392,28 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
 				FALL_THROUGH;
 			case ROLE_ACTIVE_DIRECTORY_DC:
 			case ROLE_IPA_DC:
-				use_kerberos = CRED_USE_KERBEROS_DESIRED;
+				is_ad = true;
 				break;
 			}
+
+			if (use_kerberos != CRED_USE_KERBEROS_DESIRED || is_ad) {
+				/*
+				 * Keep an explicit selection
+				 *
+				 * For AD domains we also keep
+				 * CRED_USE_KERBEROS_DESIRED
+				 */
+			} else if (use_kerberos_obtained <= CRED_SMB_CONF) {
+				/*
+				 * Disable kerberos by default within
+				 * an NT4 domain.
+				 */
+				cli_credentials_set_kerberos_state(cred,
+						CRED_USE_KERBEROS_DISABLED,
+						CRED_SMB_CONF);
+			}
 		}
-		cli_credentials_set_kerberos_state(cred,
-						   use_kerberos,
-						   CRED_SPECIFIED);
+
 		cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
 		cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
 		cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);
diff --git a/auth/credentials/tests/test_creds.c b/auth/credentials/tests/test_creds.c
index 2cb2e6d..e79f089 100644
--- a/auth/credentials/tests/test_creds.c
+++ b/auth/credentials/tests/test_creds.c
@@ -227,6 +227,8 @@ static void torture_creds_krb5_state(void **state)
 	TALLOC_CTX *mem_ctx = *state;
 	struct cli_credentials *creds = NULL;
 	struct loadparm_context *lp_ctx = NULL;
+	enum credentials_obtained kerberos_state_obtained;
+	enum credentials_use_kerberos kerberos_state;
 	bool ok;
 
 	lp_ctx = loadparm_init_global(true);
@@ -234,18 +236,27 @@ static void torture_creds_krb5_state(void **state)
 
 	creds = cli_credentials_init(mem_ctx);
 	assert_non_null(creds);
-	assert_int_equal(creds->kerberos_state_obtained, CRED_UNINITIALISED);
-	assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED);
+	kerberos_state_obtained =
+		cli_credentials_get_kerberos_state_obtained(creds);
+	kerberos_state = cli_credentials_get_kerberos_state(creds);
+	assert_int_equal(kerberos_state_obtained, CRED_UNINITIALISED);
+	assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED);
 
 	ok = cli_credentials_set_conf(creds, lp_ctx);
 	assert_true(ok);
-	assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF);
-	assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED);
+	kerberos_state_obtained =
+		cli_credentials_get_kerberos_state_obtained(creds);
+	kerberos_state = cli_credentials_get_kerberos_state(creds);
+	assert_int_equal(kerberos_state_obtained, CRED_SMB_CONF);
+	assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED);
 
 	ok = cli_credentials_guess(creds, lp_ctx);
 	assert_true(ok);
-	assert_int_equal(creds->kerberos_state_obtained, CRED_SMB_CONF);
-	assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_DESIRED);
+	kerberos_state_obtained =
+		cli_credentials_get_kerberos_state_obtained(creds);
+	kerberos_state = cli_credentials_get_kerberos_state(creds);
+	assert_int_equal(kerberos_state_obtained, CRED_SMB_CONF);
+	assert_int_equal(kerberos_state, CRED_USE_KERBEROS_DESIRED);
 	assert_int_equal(creds->ccache_obtained, CRED_GUESS_FILE);
 	assert_non_null(creds->ccache);
 
@@ -253,15 +264,21 @@ static void torture_creds_krb5_state(void **state)
 						CRED_USE_KERBEROS_REQUIRED,
 						CRED_SPECIFIED);
 	assert_true(ok);
-	assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED);
-	assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED);
+	kerberos_state_obtained =
+		cli_credentials_get_kerberos_state_obtained(creds);
+	kerberos_state = cli_credentials_get_kerberos_state(creds);
+	assert_int_equal(kerberos_state_obtained, CRED_SPECIFIED);
+	assert_int_equal(kerberos_state, CRED_USE_KERBEROS_REQUIRED);
 
 	ok = cli_credentials_set_kerberos_state(creds,
 						CRED_USE_KERBEROS_DISABLED,
 						CRED_SMB_CONF);
 	assert_false(ok);
-	assert_int_equal(creds->kerberos_state_obtained, CRED_SPECIFIED);
-	assert_int_equal(creds->kerberos_state, CRED_USE_KERBEROS_REQUIRED);
+	kerberos_state_obtained =
+		cli_credentials_get_kerberos_state_obtained(creds);
+	kerberos_state = cli_credentials_get_kerberos_state(creds);
+	assert_int_equal(kerberos_state_obtained, CRED_SPECIFIED);
+	assert_int_equal(kerberos_state, CRED_USE_KERBEROS_REQUIRED);
 
 }
 
-- 
cgit v1.2.3