auth/gensec: make sure we keep a DCERPC_AUTH_TYPE_SCHANNEL backend if required

Even with CRED_MUST_USE_KERBEROS we should keep the DCERPC_AUTH_TYPE_SCHANNEL
backend arround, this can only be specified explicitely by the caller
and cli_credentials_get_netlogon_creds() != NULL is the strong indication
that the caller is using DCERPC_AUTH_TYPE_SCHANNEL *now*.

With trusts against AD domain we can reliable use kerberos and netlogon
secure channel for authentication.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

1 files changed, 8 insertions, 0 deletions

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 9910f1a1917..955cc36f4cb 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -75,9 +75,13 @@ _PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX
 	const struct gensec_security_ops **new_gensec_list;
 	int i, j, num_mechs_in;
 	enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
+	bool keep_schannel = false;
 
 	if (creds) {
 		use_kerberos = cli_credentials_get_kerberos_state(creds);
+		if (cli_credentials_get_netlogon_creds(creds) != NULL) {
+			keep_schannel = true;
+		}
 	}
 
 	for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
@@ -103,6 +107,10 @@ _PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX
 			}
 		}
 
+		if (old_gensec_list[i]->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+			keep = keep_schannel;
+		}
+
 		switch (use_kerberos) {
 		case CRED_AUTO_USE_KERBEROS:
 			keep = true;