cred->winbind_separator = '\\';
- cred->use_kerberos = CRED_USE_KERBEROS_DESIRED;
+ cred->kerberos_state = CRED_USE_KERBEROS_DESIRED;
cred->signing_state = SMB_SIGNING_DEFAULT;
return anon_credentials;
}
-_PUBLIC_ void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
- enum credentials_use_kerberos use_kerberos)
+_PUBLIC_ bool cli_credentials_set_kerberos_state(struct cli_credentials *creds,
+ enum credentials_use_kerberos kerberos_state,
+ enum credentials_obtained obtained)
{
- creds->use_kerberos = use_kerberos;
+ if (obtained >= creds->kerberos_state_obtained) {
+ creds->kerberos_state = kerberos_state;
+ creds->kerberos_state_obtained = obtained;
+
+ return true;
+ }
+
+ return false;
}
_PUBLIC_ void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds,
_PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds)
{
- return creds->use_kerberos;
+ return creds->kerberos_state;
}
_PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds)
cred->encryption_state = lpcfg_client_smb_encrypt(lp_ctx);
cred->encryption_state_obtained = CRED_SMB_CONF;
}
+
+ if (cred->kerberos_state_obtained <= CRED_SMB_CONF) {
+ /* Will be set to default for invalid smb.conf values */
+ cred->kerberos_state = lpcfg_client_use_kerberos(lp_ctx);
+ cred->kerberos_state_obtained = CRED_SMB_CONF;
+ }
}
/**
cli_credentials_set_principal(cred, NULL, CRED_SPECIFIED);
cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED);
cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED);
- cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_DISABLED);
+ cli_credentials_set_kerberos_state(cred,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
}
/**
creds->self_service);
DBG_ERR(" Target service: %s\n",
creds->target_service);
- DBG_ERR(" Kerberos state: %s\n",
- krb5_state_to_str(creds->use_kerberos));
+ DBG_ERR(" Kerberos state: %s - %s\n",
+ krb5_state_to_str(creds->kerberos_state),
+ obtained_to_str(creds->kerberos_state_obtained));
DBG_ERR(" Kerberos forwardable ticket: %s\n",
krb5_fwd_to_str(creds->krb_forwardable));
DBG_ERR(" Signing state: %s - %s\n",
const char **error_string);
void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds,
const char *sasl_mech);
-void cli_credentials_set_kerberos_state(struct cli_credentials *creds,
- enum credentials_use_kerberos use_kerberos);
+bool cli_credentials_set_kerberos_state(struct cli_credentials *creds,
+ enum credentials_use_kerberos kerberos_state,
+ enum credentials_obtained obtained);
void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
enum credentials_krb_forwardable krb_forwardable);
bool cli_credentials_set_domain(struct cli_credentials *cred,
enum credentials_obtained signing_state_obtained;
enum credentials_obtained ipc_signing_state_obtained;
enum credentials_obtained encryption_state_obtained;
+ enum credentials_obtained kerberos_state_obtained;
/* Threshold values (essentially a MAX() over a number of the
* above) for the ccache and GSS credentials, to ensure we
bool machine_account;
/* Should we be trying to use kerberos? */
- enum credentials_use_kerberos use_kerberos;
+ enum credentials_use_kerberos kerberos_state;
/* Should we get a forwardable ticket? */
enum credentials_krb_forwardable krb_forwardable;
cred->impersonate_principal = talloc_strdup(cred, principal);
talloc_free(cred->self_service);
cred->self_service = talloc_strdup(cred, self_service);
- cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_REQUIRED);
+ cli_credentials_set_kerberos_state(cred,
+ CRED_USE_KERBEROS_REQUIRED,
+ CRED_SPECIFIED);
}
/*
const struct samr_Password *nt_hash = NULL;
int rc;
- if (cred->use_kerberos == CRED_USE_KERBEROS_REQUIRED) {
+ if (cred->kerberos_state == CRED_USE_KERBEROS_REQUIRED) {
TALLOC_FREE(frame);
return NT_STATUS_INVALID_PARAMETER_MIX;
}
break;
}
}
- cli_credentials_set_kerberos_state(cred, use_kerberos);
+ cli_credentials_set_kerberos_state(cred,
+ use_kerberos,
+ CRED_SPECIFIED);
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);
if (!PyArg_ParseTuple(args, "i", &state))
return NULL;
- cli_credentials_set_kerberos_state(creds, state);
+ cli_credentials_set_kerberos_state(creds, state, CRED_SPECIFIED);
Py_RETURN_NONE;
}
const char *passwd_fd = getenv("PASSWD_FD");
const char *passwd_file = getenv("PASSWD_FILE");
- cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED);
+ cli_credentials_set_kerberos_state(creds,
+ CRED_USE_KERBEROS_REQUIRED,
+ CRED_SPECIFIED);
unsetenv("USER");
unsetenv("PASSWD_FD");
if (passwd_file != NULL) {
setenv("PASSWD_FILE", passwd_file, 1);
}
- cli_credentials_set_kerberos_state(creds, old_kerb_state);
+ cli_credentials_set_kerberos_state(creds,
+ old_kerb_state,
+ CRED_SPECIFIED);
return true;
}
cli_credentials_set_kerberos_state(cred,
strcmp(opt_kerberos, "yes")
? CRED_USE_KERBEROS_REQUIRED
- : CRED_USE_KERBEROS_DISABLED);
+ : CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
}
if (options->runas == NULL && options->runas_file != NULL) {
cli_credentials_set_conf(server_credentials, lp_ctx);
if (lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) {
- cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED);
+ cli_credentials_set_kerberos_state(server_credentials,
+ CRED_USE_KERBEROS_DESIRED,
+ CRED_SPECIFIED);
} else {
- cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DISABLED);
+ cli_credentials_set_kerberos_state(server_credentials,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
}
nt_status = gensec_server_start(tmp_ctx, gensec_settings,
if (username != NULL && username[0] != '\0' &&
password != NULL && password[0] != '\0' &&
krb5_state == CRED_USE_KERBEROS_REQUIRED) {
- cli_credentials_set_kerberos_state(ctx->creds, CRED_USE_KERBEROS_DESIRED);
+ cli_credentials_set_kerberos_state(ctx->creds,
+ CRED_USE_KERBEROS_DESIRED,
+ CRED_SPECIFIED);
}
status = cli_cm_open(ctx, NULL,
NET_API_STATUS libnetapi_set_use_kerberos(struct libnetapi_ctx *ctx)
{
cli_credentials_set_kerberos_state(ctx->creds,
- CRED_USE_KERBEROS_REQUIRED);
+ CRED_USE_KERBEROS_REQUIRED,
+ CRED_SPECIFIED);
return NET_API_STATUS_SUCCESS;
}
krb5_state = CRED_USE_KERBEROS_DISABLED;
}
- cli_credentials_set_kerberos_state(auth_info->creds, krb5_state);
+ cli_credentials_set_kerberos_state(auth_info->creds,
+ krb5_state,
+ CRED_SPECIFIED);
}
bool get_cmdline_auth_info_use_kerberos(const struct user_auth_info *auth_info)
break;
}
- cli_credentials_set_kerberos_state(auth_info->creds, krb5_state);
+ cli_credentials_set_kerberos_state(auth_info->creds,
+ krb5_state,
+ CRED_SPECIFIED);
}
bool get_cmdline_auth_info_fallback_after_kerberos(const struct user_auth_info *auth_info)
}
cli_credentials_set_kerberos_state(auth_generic_state->credentials,
- krb5_state);
+ krb5_state,
+ CRED_SPECIFIED);
if (target_service != NULL) {
nt_status = gensec_set_target_service(
if (use_kerberos) {
cli_credentials_set_kerberos_state(cli_creds,
- CRED_USE_KERBEROS_REQUIRED);
+ CRED_USE_KERBEROS_REQUIRED,
+ CRED_SPECIFIED);
}
status = cli_full_connection_creds(&cli, NULL,
if (use_kerberos && fallback_after_kerberos) {
cli_credentials_set_kerberos_state(creds,
- CRED_USE_KERBEROS_DESIRED);
+ CRED_USE_KERBEROS_DESIRED,
+ CRED_SPECIFIED);
} else if (use_kerberos) {
cli_credentials_set_kerberos_state(creds,
- CRED_USE_KERBEROS_REQUIRED);
+ CRED_USE_KERBEROS_REQUIRED,
+ CRED_SPECIFIED);
} else {
cli_credentials_set_kerberos_state(creds,
- CRED_USE_KERBEROS_DISABLED);
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
}
if (use_ccache) {
/*
* It's not possible to use NTLMSSP with a domain trust account.
*/
- cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED);
+ cli_credentials_set_kerberos_state(creds,
+ CRED_USE_KERBEROS_REQUIRED,
+ CRED_SPECIFIED);
} else {
/*
* We can't use kerberos against an NT4 domain.
* We should have a mode that also disallows NTLMSSP here,
* as only NETLOGON SCHANNEL is possible.
*/
- cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED);
+ cli_credentials_set_kerberos_state(creds,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
}
ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
/*
* We currently can't do kerberos just with an NTHASH.
*/
- cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED);
+ cli_credentials_set_kerberos_state(creds,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
goto done;
}
* Force kerberos if this is an active directory domain
*/
cli_credentials_set_kerberos_state(creds,
- CRED_USE_KERBEROS_REQUIRED);
+ CRED_USE_KERBEROS_REQUIRED,
+ CRED_SPECIFIED);
} else {
/*
* TODO: we should allow krb5 with the raw nt hash.
*/
cli_credentials_set_kerberos_state(creds,
- CRED_USE_KERBEROS_DISABLED);
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
}
*_creds = talloc_move(mem_ctx, &creds);
goto fail;
}
- cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, use_kerberos);
+ cli_credentials_set_kerberos_state(auth_generic_ctx->credentials,
+ use_kerberos,
+ CRED_SPECIFIED);
cli_credentials_set_netlogon_creds(auth_generic_ctx->credentials, creds);
status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level);
case DCERPC_AUTH_TYPE_SPNEGO:
case DCERPC_AUTH_TYPE_NTLMSSP:
case DCERPC_AUTH_TYPE_KRB5:
- cli_credentials_set_kerberos_state(
- creds, krb5_state);
+ cli_credentials_set_kerberos_state(creds,
+ krb5_state,
+ CRED_SPECIFIED);
ntresult = cli_rpc_pipe_open_with_creds(
cli, cmd_entry->table,
talloc_destroy(mem_ctx);
return -1;
}
- cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED);
+ cli_credentials_set_kerberos_state(creds,
+ CRED_USE_KERBEROS_REQUIRED,
+ CRED_SPECIFIED);
nt_status = cli_full_connection_creds(&cli, lp_netbios_name(), servername,
&server_ss, 0,
if (c->opt_kerberos && c->opt_user_specified) {
cli_credentials_set_kerberos_state(creds,
- CRED_USE_KERBEROS_DESIRED);
+ CRED_USE_KERBEROS_DESIRED,
+ CRED_SPECIFIED);
} else if (c->opt_kerberos) {
cli_credentials_set_kerberos_state(creds,
- CRED_USE_KERBEROS_REQUIRED);
+ CRED_USE_KERBEROS_REQUIRED,
+ CRED_SPECIFIED);
} else {
cli_credentials_set_kerberos_state(creds,
- CRED_USE_KERBEROS_DISABLED);
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
}
if (c->opt_ccache) {
cli_credentials_set_conf(server_credentials, lp_ctx);
if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) {
- cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED);
+ cli_credentials_set_kerberos_state(server_credentials,
+ CRED_USE_KERBEROS_DESIRED,
+ CRED_SPECIFIED);
} else {
- cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DISABLED);
+ cli_credentials_set_kerberos_state(server_credentials,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
}
nt_status = gensec_server_start(tmp_ctx, gensec_settings,
}
cli_credentials_set_conf(creds, lp_ctx);
- cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED);
+ cli_credentials_set_kerberos_state(creds,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED);
if (!ok) {
}
/* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */
- cli_credentials_set_kerberos_state(session_info->credentials, CRED_USE_KERBEROS_REQUIRED);
+ cli_credentials_set_kerberos_state(session_info->credentials,
+ CRED_USE_KERBEROS_REQUIRED,
+ CRED_SPECIFIED);
/* It has been taken from this place... */
gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL;
/* This credential handle isn't useful for password
* authentication, so ensure nobody tries to do that */
cli_credentials_set_kerberos_state(creds,
- CRED_USE_KERBEROS_REQUIRED);
+ CRED_USE_KERBEROS_REQUIRED,
+ CRED_SPECIFIED);
}
#endif
popt_get_cmdline_credentials(),
use_kerberos
? CRED_USE_KERBEROS_REQUIRED
- : CRED_USE_KERBEROS_DISABLED);
+ : CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
break;
}
torture_assert_goto(
torture, url!=NULL, ret, fail, "talloc_asprintf failed");
- cli_credentials_set_kerberos_state(
- credentials, CRED_USE_KERBEROS_REQUIRED);
+ cli_credentials_set_kerberos_state(credentials,
+ CRED_USE_KERBEROS_REQUIRED,
+ CRED_SPECIFIED);
ok = lpcfg_set_option(
torture->lp_ctx, "gensec_gssapi:requested_life_time=4");
torture_assert(torture, s->join_ctx2 != NULL,
"Failed to join domain with acct_flags=ACB_WSTRUST");
- cli_credentials_set_kerberos_state(s->wks_creds1, CRED_USE_KERBEROS_DISABLED);
- cli_credentials_set_kerberos_state(s->wks_creds2, CRED_USE_KERBEROS_DISABLED);
+ cli_credentials_set_kerberos_state(s->wks_creds1,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
+ cli_credentials_set_kerberos_state(s->wks_creds2,
+ CRED_USE_KERBEROS_DISABLED,
+ CRED_SPECIFIED);
for (i=0; i < s->nprocs; i++) {
struct cli_credentials *wks = s->wks_creds1;