--- /dev/null
+<samba:parameter name="client use kerberos"
+ context="G"
+ type="enum"
+ function="_client_use_kerberos"
+ enumlist="enum_use_kerberos_vals"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ This parameter determines whether Samba client tools will try
+ to authenticate using Kerberos. For Kerberos authentication you
+ need to use dns names instead of IP addresses when connnecting
+ to a service.
+ </para>
+
+ <para>Possible option settings are:</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <emphasis>desired</emphasis> - Kerberos
+ authentication will be tried first and if it fails it
+ automatically fallback to NTLM.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <emphasis>required</emphasis> - Kerberos
+ authentication will be required. There will be no
+ falllback to NTLM or a different alternative.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <emphasis>off</emphasis> - Don't use
+ Kerberos, use NTLM instead or another
+ alternative.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>
+ In case that weak cryptography is not allowed (e.g. FIPS mode)
+ the default will be forced to <emphasis>required</emphasis>.
+ </para>
+</description>
+
+<value type="default">desired</value>
+</samba:parameter>
#include "libcli/auth/ntlm_check.h"
#include "lib/crypto/gnutls_helpers.h"
#include "lib/util/smb_strtox.h"
+#include "auth/credentials/credentials.h"
#ifdef HAVE_HTTPCONNECTENCRYPT
#include <cups/http.h>
"client smb encrypt",
"default");
+ lpcfg_do_global_parameter(lp_ctx,
+ "client use kerberos",
+ "desired");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
return client_ipc_signing;
}
+enum credentials_use_kerberos lpcfg_client_use_kerberos(struct loadparm_context *lp_ctx)
+{
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ return CRED_USE_KERBEROS_REQUIRED;
+ }
+
+ return lpcfg__client_use_kerberos(lp_ctx);
+}
+
bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandatory)
{
bool allowed = true;
#include "libcli/smb/smb_constants.h"
#include "libds/common/roles.h"
#include "source4/lib/tls/tls.h"
+#include "auth/credentials/credentials.h"
#ifndef N_
#define N_(x) x
{-1, NULL}
};
+static const struct enum_list enum_use_kerberos_vals[] = {
+ {CRED_USE_KERBEROS_DESIRED, "desired"},
+ {CRED_USE_KERBEROS_DESIRED, "auto"},
+ {CRED_USE_KERBEROS_REQUIRED, "yes"},
+ {CRED_USE_KERBEROS_REQUIRED, "required"},
+ {CRED_USE_KERBEROS_DISABLED, "no"},
+ {CRED_USE_KERBEROS_DISABLED, "disabled"},
+ {CRED_USE_KERBEROS_DISABLED, "off"},
+ {-1, NULL}
+};
+
static const struct enum_list enum_mdns_name_values[] = {
{MDNS_NAME_NETBIOS, "netbios"},
{MDNS_NAME_MDNS, "mdns"},
#include "libcli/auth/ntlm_check.h"
#include "lib/crypto/gnutls_helpers.h"
#include "lib/util/string_wrappers.h"
+#include "auth/credentials/credentials.h"
#ifdef HAVE_SYS_SYSCTL_H
#include <sys/sysctl.h>
Globals.client_smb_encrypt = SMB_ENCRYPTION_DEFAULT;
+ Globals._client_use_kerberos = CRED_USE_KERBEROS_DESIRED;
+
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
}
return client_ipc_signing;
}
+enum credentials_use_kerberos lp_client_use_kerberos(void)
+{
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ return CRED_USE_KERBEROS_REQUIRED;
+ }
+
+ return lp__client_use_kerberos();
+}
+
+
int lp_rpc_low_port(void)
{
return Globals.rpc_low_port;
int lp_client_ipc_min_protocol(void);
int lp_client_ipc_max_protocol(void);
int lp_client_ipc_signing(void);
+enum credentials_use_kerberos lp_client_use_kerberos(void);
int lp_smb2_max_credits(void);
int lp_cups_encrypt(void);
bool lp_widelinks(int );