diff options
author | Stefan Metzmacher <metze@samba.org> | 2017-02-24 16:02:50 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2017-02-28 09:38:24 +0100 |
commit | 36da5cc94355173dfa9e69ee685deb42e0ea2086 (patch) | |
tree | 7810b291973633b3a15be6f9b7a06eb9c00a70ad | |
parent | 79846937b6b08931ef60b61a8ad3317c80bb9147 (diff) | |
download | samba-36da5cc94355173dfa9e69ee685deb42e0ea2086.tar.gz |
auth/credentials: try to use kerberos with the machine account unless we're in an AD domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit b845f16d3ca02dd27cc40bbf722426d6f81bb4b7)
-rw-r--r-- | auth/credentials/credentials_secrets.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c index 784e3454a7e..d36913af43b 100644 --- a/auth/credentials/credentials_secrets.c +++ b/auth/credentials/credentials_secrets.c @@ -39,7 +39,7 @@ #include "dbwrap/dbwrap.h" #include "dbwrap/dbwrap_open.h" #include "lib/util/util_tdb.h" - +#include "libds/common/roles.h" /** * Fill in credentials for the machine trust account, from the secrets database. @@ -277,6 +277,8 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti char *secrets_tdb_password = NULL; char *secrets_tdb_old_password = NULL; uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL; + int server_role = lpcfg_server_role(lp_ctx); + int security = lpcfg_security(lp_ctx); char *keystr; char *keystr_upper = NULL; TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb"); @@ -355,13 +357,26 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti } if (secrets_tdb_password_more_recent) { + enum credentials_use_kerberos use_kerberos = CRED_DONT_USE_KERBEROS; char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx)); cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED); cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED); cli_credentials_set_domain(cred, domain, CRED_SPECIFIED); if (strequal(domain, lpcfg_workgroup(lp_ctx))) { cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED); + + switch (server_role) { + case ROLE_DOMAIN_MEMBER: + if (security != SEC_ADS) { + break; + } + /* fall through */ + case ROLE_ACTIVE_DIRECTORY_DC: + use_kerberos = CRED_AUTO_USE_KERBEROS; + break; + } } + cli_credentials_set_kerberos_state(cred, use_kerberos); cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED); cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct); cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type); |