auth:gensec: If Kerberos is required, keep schannel for machine account auth

author Stefan Metzmacher <metze@samba.org>

Fri, 4 Sep 2020 15:00:45 +0000 (17:00 +0200)

committer Stefan Metzmacher <metze@samba.org>

Mon, 7 Sep 2020 12:02:15 +0000 (12:02 +0000)
author Stefan Metzmacher <metze@samba.org>
Fri, 4 Sep 2020 15:00:45 +0000 (17:00 +0200)
committer Stefan Metzmacher <metze@samba.org>
Mon, 7 Sep 2020 12:02:15 +0000 (12:02 +0000)
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c

index be199358ffc5222fdc2df1fb30d9f906d4326af5..4996e13e027a0eedaea17e5b3002ef4bb0eef027 100644 (file)
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -170,6 +170,15 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
                         if (cli_credentials_get_netlogon_creds(creds) != NULL) {
                                 keep_schannel = true;
                         }
+
+                       /*
+                        * Even if Kerberos is set to REQUIRED, keep the
+                        * schannel auth mechanism that machine accounts are
+                        * able to authenticate via netlogon.
+                        */
+                       if (gensec_security->gensec_role == GENSEC_SERVER) {
+                               keep_schannel = true;
+                       }
                 }
  
                 if (gensec_security->settings->backends) {
author	Stefan Metzmacher <metze@samba.org>
	Fri, 4 Sep 2020 15:00:45 +0000 (17:00 +0200)
committer	Stefan Metzmacher <metze@samba.org>
	Mon, 7 Sep 2020 12:02:15 +0000 (12:02 +0000)