From fc318c63e5556e940ee846e63ebbc1ca5a39c945 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 18 Jun 2024 20:28:25 +0200 Subject: [PATCH] auth/credentials: don't ignore "client use kerberos" and --use-kerberos for machine accounts We only turn desired into off in the NT4 domain member case. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15666 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Wed Jun 19 10:17:28 UTC 2024 on atb-devel-224 (cherry picked from commit 5b40cdf6e8885c9db6c5ffa972112f3516e4130a) Autobuild-User(v4-20-test): Jule Anger Autobuild-Date(v4-20-test): Wed Jun 19 14:07:17 UTC 2024 on atb-devel-224 --- auth/credentials/credentials_secrets.c | 31 +++++++++++++++---- .../knownfail.d/samba4.blackbox.ldap_token | 1 - 2 files changed, 25 insertions(+), 7 deletions(-) delete mode 100644 selftest/knownfail.d/samba4.blackbox.ldap_token diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c index 8469d6e116f..906f3ff1a21 100644 --- a/auth/credentials/credentials_secrets.c +++ b/auth/credentials/credentials_secrets.c @@ -370,13 +370,17 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti } if (secrets_tdb_password_more_recent) { - enum credentials_use_kerberos use_kerberos = - CRED_USE_KERBEROS_DISABLED; char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx)); cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED); cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED); cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); if (strequal(domain, lpcfg_workgroup(lp_ctx))) { + enum credentials_use_kerberos use_kerberos = + cli_credentials_get_kerberos_state(cred); + enum credentials_obtained use_kerberos_obtained = + cli_credentials_get_kerberos_state_obtained(cred); + bool is_ad = false; + cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED); switch (server_role) { @@ -388,13 +392,28 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti FALL_THROUGH; case ROLE_ACTIVE_DIRECTORY_DC: case ROLE_IPA_DC: - use_kerberos = CRED_USE_KERBEROS_DESIRED; + is_ad = true; break; } + + if (use_kerberos != CRED_USE_KERBEROS_DESIRED || is_ad) { + /* + * Keep an explicit selection + * + * For AD domains we also keep + * CRED_USE_KERBEROS_DESIRED + */ + } else if (use_kerberos_obtained <= CRED_SMB_CONF) { + /* + * Disable kerberos by default within + * an NT4 domain. + */ + cli_credentials_set_kerberos_state(cred, + CRED_USE_KERBEROS_DISABLED, + CRED_SMB_CONF); + } } - cli_credentials_set_kerberos_state(cred, - use_kerberos, - CRED_SPECIFIED); + cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct); cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type); diff --git a/selftest/knownfail.d/samba4.blackbox.ldap_token b/selftest/knownfail.d/samba4.blackbox.ldap_token deleted file mode 100644 index 559c749a315..00000000000 --- a/selftest/knownfail.d/samba4.blackbox.ldap_token +++ /dev/null @@ -1 +0,0 @@ -^samba4.blackbox.ldap_token.Test token with NTLMSSP MACHINE.*ad_member