From 1cd233712e1a62d716a1d8b34ff3dca6a8f0f501 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 19 Aug 2020 11:34:02 +0200
Subject: [PATCH] lib:param: Add 'client use kerberos' config parameter

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 .../smbdotconf/security/clientusekerberos.xml | 49 +++++++++++++++++++
 lib/param/loadparm.c                          | 14 ++++++
 lib/param/param_table.c                       | 12 +++++
 source3/param/loadparm.c                      | 13 +++++
 source3/param/loadparm.h                      |  1 +
 5 files changed, 89 insertions(+)
 create mode 100644 docs-xml/smbdotconf/security/clientusekerberos.xml

diff --git a/docs-xml/smbdotconf/security/clientusekerberos.xml b/docs-xml/smbdotconf/security/clientusekerberos.xml
new file mode 100644
index 00000000000..33dd2ac8e23
--- /dev/null
+++ b/docs-xml/smbdotconf/security/clientusekerberos.xml
@@ -0,0 +1,49 @@
+<samba:parameter name="client use kerberos"
+                 context="G"
+                 type="enum"
+                 function="_client_use_kerberos"
+                 enumlist="enum_use_kerberos_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+		This parameter determines whether Samba client tools will try
+		to authenticate using Kerberos. For Kerberos authentication you
+		need to use dns names instead of IP addresses when connnecting
+		to a service.
+	</para>
+
+	<para>Possible option settings are:</para>
+	<itemizedlist>
+		<listitem>
+			<para>
+				<emphasis>desired</emphasis> - Kerberos
+				authentication will be tried first and if it fails it
+				automatically fallback to NTLM.
+			</para>
+		</listitem>
+
+		<listitem>
+			<para>
+				<emphasis>required</emphasis> - Kerberos
+				authentication will be required. There will be no
+				falllback to NTLM or a different alternative.
+			</para>
+		</listitem>
+
+		<listitem>
+			<para>
+				<emphasis>off</emphasis> - Don't use
+				Kerberos, use NTLM instead or another
+				alternative.
+			</para>
+		</listitem>
+	</itemizedlist>
+
+	<para>
+		In case that weak cryptography is not allowed (e.g. FIPS mode)
+		the default will be forced to <emphasis>required</emphasis>.
+	</para>
+</description>
+
+<value type="default">desired</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 6a4ae555759..7b0f652c069 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -74,6 +74,7 @@
 #include "libcli/auth/ntlm_check.h"
 #include "lib/crypto/gnutls_helpers.h"
 #include "lib/util/smb_strtox.h"
+#include "auth/credentials/credentials.h"
 
 #ifdef HAVE_HTTPCONNECTENCRYPT
 #include <cups/http.h>
@@ -2947,6 +2948,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 				  "client smb encrypt",
 				  "default");
 
+	lpcfg_do_global_parameter(lp_ctx,
+				  "client use kerberos",
+				  "desired");
+
 	for (i = 0; parm_table[i].label; i++) {
 		if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
 			lp_ctx->flags[i] |= FLAG_DEFAULT;
@@ -3383,6 +3388,15 @@ int lpcfg_client_ipc_signing(struct loadparm_context *lp_ctx)
 	return client_ipc_signing;
 }
 
+enum credentials_use_kerberos lpcfg_client_use_kerberos(struct loadparm_context *lp_ctx)
+{
+	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		return CRED_USE_KERBEROS_REQUIRED;
+	}
+
+	return lpcfg__client_use_kerberos(lp_ctx);
+}
+
 bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandatory)
 {
 	bool allowed = true;
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index e2f737279dc..b26f0738f09 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -35,6 +35,7 @@
 #include "libcli/smb/smb_constants.h"
 #include "libds/common/roles.h"
 #include "source4/lib/tls/tls.h"
+#include "auth/credentials/credentials.h"
 
 #ifndef N_
 #define N_(x) x
@@ -161,6 +162,17 @@ static const struct enum_list enum_smb_encryption_vals[] = {
 	{-1, NULL}
 };
 
+static const struct enum_list enum_use_kerberos_vals[] = {
+	{CRED_USE_KERBEROS_DESIRED, "desired"},
+	{CRED_USE_KERBEROS_DESIRED, "auto"},
+	{CRED_USE_KERBEROS_REQUIRED, "yes"},
+	{CRED_USE_KERBEROS_REQUIRED, "required"},
+	{CRED_USE_KERBEROS_DISABLED, "no"},
+	{CRED_USE_KERBEROS_DISABLED, "disabled"},
+	{CRED_USE_KERBEROS_DISABLED, "off"},
+	{-1, NULL}
+};
+
 static const struct enum_list enum_mdns_name_values[] = {
 	{MDNS_NAME_NETBIOS, "netbios"},
 	{MDNS_NAME_MDNS, "mdns"},
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 078e67db48f..4f4912c70e4 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -75,6 +75,7 @@
 #include "libcli/auth/ntlm_check.h"
 #include "lib/crypto/gnutls_helpers.h"
 #include "lib/util/string_wrappers.h"
+#include "auth/credentials/credentials.h"
 
 #ifdef HAVE_SYS_SYSCTL_H
 #include <sys/sysctl.h>
@@ -956,6 +957,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 
 	Globals.client_smb_encrypt = SMB_ENCRYPTION_DEFAULT;
 
+	Globals._client_use_kerberos = CRED_USE_KERBEROS_DESIRED;
+
 	/* Now put back the settings that were set with lp_set_cmdline() */
 	apply_lp_set_cmdline();
 }
@@ -4708,6 +4711,16 @@ int lp_client_ipc_signing(void)
 	return client_ipc_signing;
 }
 
+enum credentials_use_kerberos lp_client_use_kerberos(void)
+{
+	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		return CRED_USE_KERBEROS_REQUIRED;
+	}
+
+	return lp__client_use_kerberos();
+}
+
+
 int lp_rpc_low_port(void)
 {
 	return Globals.rpc_low_port;
diff --git a/source3/param/loadparm.h b/source3/param/loadparm.h
index 7686877ccf1..9f7b4bd1cdb 100644
--- a/source3/param/loadparm.h
+++ b/source3/param/loadparm.h
@@ -56,6 +56,7 @@ int lp_client_max_protocol(void);
 int lp_client_ipc_min_protocol(void);
 int lp_client_ipc_max_protocol(void);
 int lp_client_ipc_signing(void);
+enum credentials_use_kerberos lp_client_use_kerberos(void);
 int lp_smb2_max_credits(void);
 int lp_cups_encrypt(void);
 bool lp_widelinks(int );