summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2017-02-24 16:02:50 +0100
committerKarolin Seeger <kseeger@samba.org>2017-02-28 09:38:24 +0100
commit36da5cc94355173dfa9e69ee685deb42e0ea2086 (patch)
tree7810b291973633b3a15be6f9b7a06eb9c00a70ad
parent79846937b6b08931ef60b61a8ad3317c80bb9147 (diff)
downloadsamba-36da5cc94355173dfa9e69ee685deb42e0ea2086.tar.gz
auth/credentials: try to use kerberos with the machine account unless we're in an AD domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12587 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit b845f16d3ca02dd27cc40bbf722426d6f81bb4b7)
Diffstat
-rw-r--r--auth/credentials/credentials_secrets.c17
1 files changed, 16 insertions, 1 deletions
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 784e3454a7e..d36913af43b 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -39,7 +39,7 @@
#include "dbwrap/dbwrap.h"
#include "dbwrap/dbwrap_open.h"
#include "lib/util/util_tdb.h"
-
+#include "libds/common/roles.h"
/**
* Fill in credentials for the machine trust account, from the secrets database.
@@ -277,6 +277,8 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
char *secrets_tdb_password = NULL;
char *secrets_tdb_old_password = NULL;
uint32_t secrets_tdb_secure_channel_type = SEC_CHAN_NULL;
+ int server_role = lpcfg_server_role(lp_ctx);
+ int security = lpcfg_security(lp_ctx);
char *keystr;
char *keystr_upper = NULL;
TALLOC_CTX *tmp_ctx = talloc_named(cred, 0, "cli_credentials_set_secrets from ldb");
@@ -355,13 +357,26 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
}
if (secrets_tdb_password_more_recent) {
+ enum credentials_use_kerberos use_kerberos = CRED_DONT_USE_KERBEROS;
char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
if (strequal(domain, lpcfg_workgroup(lp_ctx))) {
cli_credentials_set_realm(cred, lpcfg_realm(lp_ctx), CRED_SPECIFIED);
+
+ switch (server_role) {
+ case ROLE_DOMAIN_MEMBER:
+ if (security != SEC_ADS) {
+ break;
+ }
+ /* fall through */
+ case ROLE_ACTIVE_DIRECTORY_DC:
+ use_kerberos = CRED_AUTO_USE_KERBEROS;
+ break;
+ }
}
+ cli_credentials_set_kerberos_state(cred, use_kerberos);
cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);
View Lorry Controller Status