1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts

We only turn desired into off in the NT4 domain member case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jun 19 10:17:28 UTC 2024 on atb-devel-224

(cherry picked from commit 5b40cdf6e8)

Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Wed Jun 19 14:07:17 UTC 2024 on atb-devel-224
This commit is contained in:
Stefan Metzmacher 2024-06-18 20:28:25 +02:00 committed by Jule Anger
parent 212b014679
commit fc318c63e5
2 changed files with 25 additions and 7 deletions

View File

@ -370,13 +370,17 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
}
if (secrets_tdb_password_more_recent) {
enum credentials_use_kerberos use_kerberos =
CRED_USE_KERBEROS_DISABLED;
char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
if (strequal(domain, lpcfg_workgroup(lp_ctx))) {
enum credentials_use_kerberos use_kerberos =
cli_credentials_get_kerberos_state(cred);
enum credentials_obtained use_kerberos_obtained =
cli_credentials_get_kerberos_state_obtained(cred);
bool is_ad = false;
cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
switch (server_role) {
@ -388,13 +392,28 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
FALL_THROUGH;
case ROLE_ACTIVE_DIRECTORY_DC:
case ROLE_IPA_DC:
use_kerberos = CRED_USE_KERBEROS_DESIRED;
is_ad = true;
break;
}
if (use_kerberos != CRED_USE_KERBEROS_DESIRED || is_ad) {
/*
* Keep an explicit selection
*
* For AD domains we also keep
* CRED_USE_KERBEROS_DESIRED
*/
} else if (use_kerberos_obtained <= CRED_SMB_CONF) {
/*
* Disable kerberos by default within
* an NT4 domain.
*/
cli_credentials_set_kerberos_state(cred,
CRED_USE_KERBEROS_DISABLED,
CRED_SMB_CONF);
}
}
cli_credentials_set_kerberos_state(cred,
use_kerberos,
CRED_SPECIFIED);
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);

View File

@ -1 +0,0 @@
^samba4.blackbox.ldap_token.Test token with NTLMSSP MACHINE.*ad_member