mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts
We only turn desired into off in the NT4 domain member case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 19 10:17:28 UTC 2024 on atb-devel-224
(cherry picked from commit 5b40cdf6e8
)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Jun 19 14:07:17 UTC 2024 on atb-devel-224
This commit is contained in:
parent
212b014679
commit
fc318c63e5
@ -370,13 +370,17 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
|
||||
}
|
||||
|
||||
if (secrets_tdb_password_more_recent) {
|
||||
enum credentials_use_kerberos use_kerberos =
|
||||
CRED_USE_KERBEROS_DISABLED;
|
||||
char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
|
||||
cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
|
||||
cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
|
||||
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
|
||||
if (strequal(domain, lpcfg_workgroup(lp_ctx))) {
|
||||
enum credentials_use_kerberos use_kerberos =
|
||||
cli_credentials_get_kerberos_state(cred);
|
||||
enum credentials_obtained use_kerberos_obtained =
|
||||
cli_credentials_get_kerberos_state_obtained(cred);
|
||||
bool is_ad = false;
|
||||
|
||||
cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
|
||||
|
||||
switch (server_role) {
|
||||
@ -388,13 +392,28 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
|
||||
FALL_THROUGH;
|
||||
case ROLE_ACTIVE_DIRECTORY_DC:
|
||||
case ROLE_IPA_DC:
|
||||
use_kerberos = CRED_USE_KERBEROS_DESIRED;
|
||||
is_ad = true;
|
||||
break;
|
||||
}
|
||||
|
||||
if (use_kerberos != CRED_USE_KERBEROS_DESIRED || is_ad) {
|
||||
/*
|
||||
* Keep an explicit selection
|
||||
*
|
||||
* For AD domains we also keep
|
||||
* CRED_USE_KERBEROS_DESIRED
|
||||
*/
|
||||
} else if (use_kerberos_obtained <= CRED_SMB_CONF) {
|
||||
/*
|
||||
* Disable kerberos by default within
|
||||
* an NT4 domain.
|
||||
*/
|
||||
cli_credentials_set_kerberos_state(cred,
|
||||
CRED_USE_KERBEROS_DISABLED,
|
||||
CRED_SMB_CONF);
|
||||
}
|
||||
}
|
||||
cli_credentials_set_kerberos_state(cred,
|
||||
use_kerberos,
|
||||
CRED_SPECIFIED);
|
||||
|
||||
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
|
||||
cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
|
||||
cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);
|
||||
|
@ -1 +0,0 @@
|
||||
^samba4.blackbox.ldap_token.Test token with NTLMSSP MACHINE.*ad_member
|
Loading…
Reference in New Issue
Block a user