2025-02-02 09:47:23 +03:00 · 2020-08-19 11:34:02 +02:00 · 2020-08-19 11:34:02 +02:00 · 1cd233712e
commit 1cd233712e
parent b2bad13ca3
5 changed files with 89 additions and 0 deletions
--- a/docs-xml/smbdotconf/security/clientusekerberos.xml
+++ b/docs-xml/smbdotconf/security/clientusekerberos.xml
@ -0,0 +1,49 @@
+<samba:parameter name="client use kerberos"
+                 context="G"
+                 type="enum"
+                 function="_client_use_kerberos"
+                 enumlist="enum_use_kerberos_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+		This parameter determines whether Samba client tools will try
+		to authenticate using Kerberos. For Kerberos authentication you
+		need to use dns names instead of IP addresses when connnecting
+		to a service.
+	</para>
+
+	<para>Possible option settings are:</para>
+	<itemizedlist>
+		<listitem>
+			<para>
+				<emphasis>desired</emphasis> - Kerberos
+				authentication will be tried first and if it fails it
+				automatically fallback to NTLM.
+			</para>
+		</listitem>
+
+		<listitem>
+			<para>
+				<emphasis>required</emphasis> - Kerberos
+				authentication will be required. There will be no
+				falllback to NTLM or a different alternative.
+			</para>
+		</listitem>
+
+		<listitem>
+			<para>
+				<emphasis>off</emphasis> - Don't use
+				Kerberos, use NTLM instead or another
+				alternative.
+			</para>
+		</listitem>
+	</itemizedlist>
+
+	<para>
+		In case that weak cryptography is not allowed (e.g. FIPS mode)
+		the default will be forced to <emphasis>required</emphasis>.
+	</para>
+</description>
+
+<value type="default">desired</value>
+</samba:parameter>
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@ -74,6 +74,7 @@
 #include "libcli/auth/ntlm_check.h"
 #include "lib/crypto/gnutls_helpers.h"
 #include "lib/util/smb_strtox.h"
+#include "auth/credentials/credentials.h"

 #ifdef HAVE_HTTPCONNECTENCRYPT
 #include <cups/http.h>
@ -2947,6 +2948,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 				  "client smb encrypt",
 				  "default");

+	lpcfg_do_global_parameter(lp_ctx,
+				  "client use kerberos",
+				  "desired");
+
 	for (i = 0; parm_table[i].label; i++) {
 		if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
 			lp_ctx->flags[i] |= FLAG_DEFAULT;
@ -3383,6 +3388,15 @@ int lpcfg_client_ipc_signing(struct loadparm_context *lp_ctx)
 	return client_ipc_signing;
 }

+enum credentials_use_kerberos lpcfg_client_use_kerberos(struct loadparm_context *lp_ctx)
+{
+	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		return CRED_USE_KERBEROS_REQUIRED;
+	}
+
+	return lpcfg__client_use_kerberos(lp_ctx);
+}
+
 bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandatory)
 {
 	bool allowed = true;
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@ -35,6 +35,7 @@
 #include "libcli/smb/smb_constants.h"
 #include "libds/common/roles.h"
 #include "source4/lib/tls/tls.h"
+#include "auth/credentials/credentials.h"

 #ifndef N_
 #define N_(x) x
@ -161,6 +162,17 @@ static const struct enum_list enum_smb_encryption_vals[] = {
 	{-1, NULL}
 };

+static const struct enum_list enum_use_kerberos_vals[] = {
+	{CRED_USE_KERBEROS_DESIRED, "desired"},
+	{CRED_USE_KERBEROS_DESIRED, "auto"},
+	{CRED_USE_KERBEROS_REQUIRED, "yes"},
+	{CRED_USE_KERBEROS_REQUIRED, "required"},
+	{CRED_USE_KERBEROS_DISABLED, "no"},
+	{CRED_USE_KERBEROS_DISABLED, "disabled"},
+	{CRED_USE_KERBEROS_DISABLED, "off"},
+	{-1, NULL}
+};
+
 static const struct enum_list enum_mdns_name_values[] = {
 	{MDNS_NAME_NETBIOS, "netbios"},
 	{MDNS_NAME_MDNS, "mdns"},
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@ -75,6 +75,7 @@
 #include "libcli/auth/ntlm_check.h"
 #include "lib/crypto/gnutls_helpers.h"
 #include "lib/util/string_wrappers.h"
+#include "auth/credentials/credentials.h"

 #ifdef HAVE_SYS_SYSCTL_H
 #include <sys/sysctl.h>
@ -956,6 +957,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)

 	Globals.client_smb_encrypt = SMB_ENCRYPTION_DEFAULT;

+	Globals._client_use_kerberos = CRED_USE_KERBEROS_DESIRED;
+
 	/* Now put back the settings that were set with lp_set_cmdline() */
 	apply_lp_set_cmdline();
 }
@ -4708,6 +4711,16 @@ int lp_client_ipc_signing(void)
 	return client_ipc_signing;
 }

+enum credentials_use_kerberos lp_client_use_kerberos(void)
+{
+	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		return CRED_USE_KERBEROS_REQUIRED;
+	}
+
+	return lp__client_use_kerberos();
+}
+
+
 int lp_rpc_low_port(void)
 {
 	return Globals.rpc_low_port;
--- a/source3/param/loadparm.h
+++ b/source3/param/loadparm.h
@ -56,6 +56,7 @@ int lp_client_max_protocol(void);
 int lp_client_ipc_min_protocol(void);
 int lp_client_ipc_max_protocol(void);
 int lp_client_ipc_signing(void);
+enum credentials_use_kerberos lp_client_use_kerberos(void);
 int lp_smb2_max_credits(void);
 int lp_cups_encrypt(void);
 bool lp_widelinks(int );