cred->winbind_separator = '\\';
+ cred->use_kerberos = CRED_USE_KERBEROS_DESIRED;
+
cred->signing_state = SMB_SIGNING_DEFAULT;
/*
return true;
}
- if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
+ if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) {
return true;
}
}
if (lp_ctx != NULL &&
- cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) {
+ cli_credentials_get_kerberos_state(cred) != CRED_USE_KERBEROS_DISABLED) {
cli_credentials_set_ccache(cred, lp_ctx, NULL, CRED_GUESS_FILE,
&error_string);
}
cli_credentials_set_principal(cred, NULL, CRED_SPECIFIED);
cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED);
cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED);
- cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_DISABLED);
}
/**
};
enum credentials_use_kerberos {
- CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
- CRED_DONT_USE_KERBEROS, /* Sometimes trying kerberos just does 'bad things', so don't */
- CRED_MUST_USE_KERBEROS /* Sometimes administrators are paranoid, so always do kerberos */
+ /** Sometimes trying kerberos just does 'bad things', so don't */
+ CRED_USE_KERBEROS_DISABLED = 0,
+ /** Default, we try kerberos if available */
+ CRED_USE_KERBEROS_DESIRED,
+ /** Sometimes administrators are paranoid, so always do kerberos */
+ CRED_USE_KERBEROS_REQUIRED,
};
enum credentials_krb_forwardable {
ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
&ccache, error_string);
if (ret) {
- if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
+ if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) {
DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string));
} else {
DEBUG(4, ("Failed to get kerberos credentials: %s\n", *error_string));
cred->impersonate_principal = talloc_strdup(cred, principal);
talloc_free(cred->self_service);
cred->self_service = talloc_strdup(cred, self_service);
- cli_credentials_set_kerberos_state(cred, CRED_MUST_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_REQUIRED);
}
/*
const struct samr_Password *nt_hash = NULL;
int rc;
- if (cred->use_kerberos == CRED_MUST_USE_KERBEROS) {
+ if (cred->use_kerberos == CRED_USE_KERBEROS_REQUIRED) {
TALLOC_FREE(frame);
return NT_STATUS_INVALID_PARAMETER_MIX;
}
}
if (secrets_tdb_password_more_recent) {
- enum credentials_use_kerberos use_kerberos = CRED_DONT_USE_KERBEROS;
+ enum credentials_use_kerberos use_kerberos =
+ CRED_USE_KERBEROS_DISABLED;
char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
FALL_THROUGH;
case ROLE_ACTIVE_DIRECTORY_DC:
- use_kerberos = CRED_AUTO_USE_KERBEROS;
+ use_kerberos = CRED_USE_KERBEROS_DESIRED;
break;
}
}
PyModule_AddObject(m, "CALLBACK_RESULT", PyLong_FromLong(CRED_CALLBACK_RESULT));
PyModule_AddObject(m, "SPECIFIED", PyLong_FromLong(CRED_SPECIFIED));
- PyModule_AddObject(m, "AUTO_USE_KERBEROS", PyLong_FromLong(CRED_AUTO_USE_KERBEROS));
- PyModule_AddObject(m, "DONT_USE_KERBEROS", PyLong_FromLong(CRED_DONT_USE_KERBEROS));
- PyModule_AddObject(m, "MUST_USE_KERBEROS", PyLong_FromLong(CRED_MUST_USE_KERBEROS));
+ PyModule_AddObject(m, "AUTO_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_DESIRED));
+ PyModule_AddObject(m, "DONT_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_DISABLED));
+ PyModule_AddObject(m, "MUST_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_REQUIRED));
PyModule_AddObject(m, "AUTO_KRB_FORWARDABLE", PyLong_FromLong(CRED_AUTO_KRB_FORWARDABLE));
PyModule_AddObject(m, "NO_KRB_FORWARDABLE", PyLong_FromLong(CRED_NO_KRB_FORWARDABLE));
const char *passwd_fd = getenv("PASSWD_FD");
const char *passwd_file = getenv("PASSWD_FILE");
- cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED);
unsetenv("USER");
unsetenv("PASSWD_FD");
public_headers='credentials.h',
pc_files='samba-credentials.pc',
deps='LIBCRYPTO samba-errors events LIBCLI_AUTH samba-security CREDENTIALS_SECRETS CREDENTIALS_KRB5',
- vnum='0.1.0'
+ vnum='1.0.0'
)
bld.SAMBA_SUBSYSTEM('CREDENTIALS_KRB5',
}
switch (use_kerberos) {
- case CRED_AUTO_USE_KERBEROS:
+ case CRED_USE_KERBEROS_DESIRED:
keep = true;
break;
- case CRED_DONT_USE_KERBEROS:
+ case CRED_USE_KERBEROS_DISABLED:
if (old_gensec_list[i]->kerberos == false) {
keep = true;
}
break;
- case CRED_MUST_USE_KERBEROS:
+ case CRED_USE_KERBEROS_REQUIRED:
if (old_gensec_list[i]->kerberos == true) {
keep = true;
}
TALLOC_CTX *mem_ctx)
{
const struct gensec_security_ops * const *backends = gensec_security_all();
- enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
+ enum credentials_use_kerberos use_kerberos = CRED_USE_KERBEROS_DESIRED;
bool keep_schannel = false;
if (gensec_security != NULL) {
if (opt_kerberos) {
cli_credentials_set_kerberos_state(cred,
strcmp(opt_kerberos, "yes")
- ? CRED_MUST_USE_KERBEROS
- : CRED_DONT_USE_KERBEROS);
+ ? CRED_USE_KERBEROS_REQUIRED
+ : CRED_USE_KERBEROS_DISABLED);
}
if (options->runas == NULL && options->runas_file != NULL) {
cli_credentials_set_conf(server_credentials, lp_ctx);
if (lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) {
- cli_credentials_set_kerberos_state(server_credentials, CRED_AUTO_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED);
} else {
- cli_credentials_set_kerberos_state(server_credentials, CRED_DONT_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DISABLED);
}
nt_status = gensec_server_start(tmp_ctx, gensec_settings,
enum credentials_use_kerberos krb5_state;
if (b) {
- krb5_state = CRED_MUST_USE_KERBEROS;
+ krb5_state = CRED_USE_KERBEROS_REQUIRED;
} else {
- krb5_state = CRED_DONT_USE_KERBEROS;
+ krb5_state = CRED_USE_KERBEROS_DISABLED;
}
cli_credentials_set_kerberos_state(auth_info->creds, krb5_state);
krb5_state = cli_credentials_get_kerberos_state(auth_info->creds);
- if (krb5_state == CRED_MUST_USE_KERBEROS) {
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
return true;
}
krb5_state = cli_credentials_get_kerberos_state(auth_info->creds);
switch (krb5_state) {
- case CRED_MUST_USE_KERBEROS:
+ case CRED_USE_KERBEROS_REQUIRED:
if (b) {
- krb5_state = CRED_AUTO_USE_KERBEROS;
+ krb5_state = CRED_USE_KERBEROS_DESIRED;
}
break;
- case CRED_AUTO_USE_KERBEROS:
+ case CRED_USE_KERBEROS_DESIRED:
if (!b) {
- krb5_state = CRED_MUST_USE_KERBEROS;
+ krb5_state = CRED_USE_KERBEROS_REQUIRED;
}
break;
- case CRED_DONT_USE_KERBEROS:
+ case CRED_USE_KERBEROS_DISABLED:
/* nothing to do */
break;
}
krb5_state = cli_credentials_get_kerberos_state(auth_info->creds);
- if (krb5_state == CRED_AUTO_USE_KERBEROS) {
+ if (krb5_state == CRED_USE_KERBEROS_DESIRED) {
return true;
}
use_spnego_principal = false;
}
- if (krb5_state == CRED_DONT_USE_KERBEROS) {
+ if (krb5_state == CRED_USE_KERBEROS_DISABLED) {
use_spnego_principal = false;
}
{
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
- CRED_MUST_USE_KERBEROS,
+ CRED_USE_KERBEROS_REQUIRED,
p.service, p.hostname,
blob);
if (ADS_ERR_OK(status)) {
if (ADS_ERR_OK(status)) {
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
- CRED_MUST_USE_KERBEROS,
+ CRED_USE_KERBEROS_REQUIRED,
p.service, p.hostname,
blob);
if (!ADS_ERR_OK(status)) {
library for HMAC_MD4 encryption */
mech = "NTLMSSP";
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
- CRED_DONT_USE_KERBEROS,
+ CRED_USE_KERBEROS_DISABLED,
p.service, p.hostname,
data_blob_null);
done:
if (use_kerberos) {
cli_credentials_set_kerberos_state(cli_creds,
- CRED_MUST_USE_KERBEROS);
+ CRED_USE_KERBEROS_REQUIRED);
}
status = cli_full_connection_creds(&cli, NULL,
if (use_kerberos && fallback_after_kerberos) {
cli_credentials_set_kerberos_state(creds,
- CRED_AUTO_USE_KERBEROS);
+ CRED_USE_KERBEROS_DESIRED);
} else if (use_kerberos) {
cli_credentials_set_kerberos_state(creds,
- CRED_MUST_USE_KERBEROS);
+ CRED_USE_KERBEROS_REQUIRED);
} else {
cli_credentials_set_kerberos_state(creds,
- CRED_DONT_USE_KERBEROS);
+ CRED_USE_KERBEROS_DISABLED);
}
if (use_ccache) {
krb5_state = cli_credentials_get_kerberos_state(creds);
- if (krb5_state != CRED_DONT_USE_KERBEROS) {
+ if (krb5_state != CRED_USE_KERBEROS_DISABLED) {
try_kerberos = true;
}
try_kerberos = false;
}
- if (krb5_state == CRED_MUST_USE_KERBEROS && !try_kerberos) {
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED && !try_kerberos) {
DEBUG(0, ("Kerberos auth with '%s' (%s\\%s) to access "
"'%s' not possible\n",
user_principal, user_domain, user_account,
if (pass == NULL || strlen(pass) == 0) {
need_kinit = false;
- } else if (krb5_state == CRED_MUST_USE_KERBEROS) {
+ } else if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
need_kinit = try_kerberos;
} else {
need_kinit = try_kerberos;
if (ret != 0) {
int dbglvl = DBGLVL_NOTICE;
- if (krb5_state == CRED_MUST_USE_KERBEROS) {
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
dbglvl = DBGLVL_ERR;
}
DEBUG(dbglvl, ("Kinit for %s to access %s failed: %s\n",
user_principal, target_hostname,
error_message(ret)));
- if (krb5_state == CRED_MUST_USE_KERBEROS) {
+ if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
TALLOC_FREE(frame);
return krb5_to_nt_status(ret);
}
/*
* It's not possible to use NTLMSSP with a domain trust account.
*/
- cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED);
} else {
/*
* We can't use kerberos against an NT4 domain.
* We should have a mode that also disallows NTLMSSP here,
* as only NETLOGON SCHANNEL is possible.
*/
- cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED);
}
ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
/*
* We currently can't do kerberos just with an NTHASH.
*/
- cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED);
goto done;
}
* Force kerberos if this is an active directory domain
*/
cli_credentials_set_kerberos_state(creds,
- CRED_MUST_USE_KERBEROS);
+ CRED_USE_KERBEROS_REQUIRED);
} else {
/*
* TODO: we should allow krb5 with the raw nt hash.
*/
cli_credentials_set_kerberos_state(creds,
- CRED_DONT_USE_KERBEROS);
+ CRED_USE_KERBEROS_DISABLED);
}
*_creds = talloc_move(mem_ctx, &creds);
NAME_NT_AUTHORITY, /* domain */
"SYSTEM",
NULL, /* password */
- CRED_DONT_USE_KERBEROS,
+ CRED_USE_KERBEROS_DISABLED,
NULL, /* netlogon_creds_CredentialState */
presult);
}
case DCERPC_AUTH_TYPE_SPNEGO:
switch (pipe_default_auth_spnego_type) {
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
- krb5_state = CRED_DONT_USE_KERBEROS;
+ krb5_state = CRED_USE_KERBEROS_DISABLED;
break;
case PIPE_AUTH_TYPE_SPNEGO_KRB5:
- krb5_state = CRED_MUST_USE_KERBEROS;
+ krb5_state = CRED_USE_KERBEROS_REQUIRED;
break;
case PIPE_AUTH_TYPE_SPNEGO_NONE:
- krb5_state = CRED_AUTO_USE_KERBEROS;
+ krb5_state = CRED_USE_KERBEROS_DESIRED;
break;
}
FALL_THROUGH;
case DCERPC_AUTH_TYPE_NTLMSSP:
case DCERPC_AUTH_TYPE_KRB5:
- if (krb5_state != CRED_AUTO_USE_KERBEROS) {
+ if (krb5_state != CRED_USE_KERBEROS_DESIRED) {
cli_credentials_set_kerberos_state(creds,
krb5_state);
}
talloc_destroy(mem_ctx);
return -1;
}
- cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED);
nt_status = cli_full_connection_creds(&cli, lp_netbios_name(), servername,
&server_ss, 0,
if (c->opt_kerberos && c->opt_user_specified) {
cli_credentials_set_kerberos_state(creds,
- CRED_AUTO_USE_KERBEROS);
+ CRED_USE_KERBEROS_DESIRED);
} else if (c->opt_kerberos) {
cli_credentials_set_kerberos_state(creds,
- CRED_MUST_USE_KERBEROS);
+ CRED_USE_KERBEROS_REQUIRED);
} else {
cli_credentials_set_kerberos_state(creds,
- CRED_DONT_USE_KERBEROS);
+ CRED_USE_KERBEROS_DISABLED);
}
if (c->opt_ccache) {
cli_credentials_set_conf(server_credentials, lp_ctx);
if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) {
- cli_credentials_set_kerberos_state(server_credentials, CRED_AUTO_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED);
} else {
- cli_credentials_set_kerberos_state(server_credentials, CRED_DONT_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DISABLED);
}
nt_status = gensec_server_start(tmp_ctx, gensec_settings,
}
cli_credentials_set_conf(creds, lp_ctx);
- cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED);
ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
if (!ok) {
}
/* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
- cli_credentials_set_kerberos_state(session_info->credentials, CRED_MUST_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(session_info->credentials, CRED_USE_KERBEROS_REQUIRED);
/* It has been taken from this place... */
gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
/* This credential handle isn't useful for password
* authentication, so ensure nobody tries to do that */
cli_credentials_set_kerberos_state(creds,
- CRED_MUST_USE_KERBEROS);
+ CRED_USE_KERBEROS_REQUIRED);
}
#endif
cli_credentials_set_kerberos_state(
popt_get_cmdline_credentials(),
use_kerberos
- ? CRED_MUST_USE_KERBEROS
- : CRED_DONT_USE_KERBEROS);
+ ? CRED_USE_KERBEROS_REQUIRED
+ : CRED_USE_KERBEROS_DISABLED);
break;
}
torture, url!=NULL, ret, fail, "talloc_asprintf failed");
cli_credentials_set_kerberos_state(
- credentials, CRED_MUST_USE_KERBEROS);
+ credentials, CRED_USE_KERBEROS_REQUIRED);
ok = lpcfg_set_option(
torture->lp_ctx, "gensec_gssapi:requested_life_time=4");
use_kerberos = cli_credentials_get_kerberos_state(
popt_get_cmdline_credentials());
- if (use_kerberos != CRED_MUST_USE_KERBEROS) {
+ if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
torture_warning(tctx, "smb2.session.expire1 requires -k yes!");
torture_skip(tctx, "smb2.session.expire1 requires -k yes!");
}
- torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
+ torture_assert_int_equal(tctx, use_kerberos, CRED_USE_KERBEROS_REQUIRED,
"please use -k yes");
lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4");
torture_assert(torture, s->join_ctx2 != NULL,
"Failed to join domain with acct_flags=ACB_WSTRUST");
- cli_credentials_set_kerberos_state(s->wks_creds1, CRED_DONT_USE_KERBEROS);
- cli_credentials_set_kerberos_state(s->wks_creds2, CRED_DONT_USE_KERBEROS);
+ cli_credentials_set_kerberos_state(s->wks_creds1, CRED_USE_KERBEROS_DISABLED);
+ cli_credentials_set_kerberos_state(s->wks_creds2, CRED_USE_KERBEROS_DISABLED);
for (i=0; i < s->nprocs; i++) {
struct cli_credentials *wks = s->wks_creds1;
krb_state = cli_credentials_get_kerberos_state(
popt_get_cmdline_credentials());
- if (krb_state == CRED_MUST_USE_KERBEROS) {
+ if (krb_state == CRED_USE_KERBEROS_REQUIRED) {
torture_skip(tctx,
"Can't test failing session setup with kerberos.");
}
size_t i;
use_kerberos = cli_credentials_get_kerberos_state(credentials);
- if (use_kerberos != CRED_MUST_USE_KERBEROS) {
+ if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
torture_warning(tctx, "smb2.session.expire1 requires -k yes!");
torture_skip(tctx, "smb2.session.expire1 requires -k yes!");
}
- torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
+ torture_assert_int_equal(tctx, use_kerberos, CRED_USE_KERBEROS_REQUIRED,
"please use -k yes");
cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
struct smb2_notify ntf2;
use_kerberos = cli_credentials_get_kerberos_state(credentials);
- if (use_kerberos != CRED_MUST_USE_KERBEROS) {
+ if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
torture_warning(tctx, "smb2.session.expire2 requires -k yes!");
torture_skip(tctx, "smb2.session.expire2 requires -k yes!");
}
- torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS,
+ torture_assert_int_equal(tctx, use_kerberos, CRED_USE_KERBEROS_REQUIRED,
"please use -k yes");
cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED);
bool connected;
use_kerberos = cli_credentials_get_kerberos_state(credentials);
- if (use_kerberos != CRED_MUST_USE_KERBEROS) {
+ if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) {
torture_warning(tctx, "smb2.session.expire1 requires -k yes!");
torture_skip(tctx, "smb2.session.expire1 requires -k yes!");
}