s3:passdb: use cli_credentials_set_kerberos_state() for trusts in pdb_get_trust_credentials()

Trust accounts can only use kerberos when contacting other AD domains,
using NTLMSSP will fail.

At the same time it doesn't make sense to try kerberos for NT4 domains,
still NTLMSSP will fail, but the callers has to deal with that
case and just fallback to an anonymous SMB connection.

In all cases we should be able to use NETLOGON SCHANNEL
over any anonymous smb or tcp transport.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

1 files changed, 17 insertions, 0 deletions

diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 36aedadea22..64e05b346de 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -2621,6 +2621,19 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
 			status = NT_STATUS_NO_MEMORY;
 			goto fail;
 		}
+
+		/*
+		 * It's not possible to use NTLMSSP with a domain trust account.
+		 */
+		cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS);
+	} else {
+		/*
+		 * We can't use kerberos against an NT4 domain.
+		 *
+		 * We should have a mode that also disallows NTLMSSP here,
+		 * as only NETLOGON SCHANNEL is possible.
+		 */
+		cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
 	}
 
 	ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
@@ -2635,6 +2648,10 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain,
 			status = NT_STATUS_NO_MEMORY;
 			goto fail;
 		}
+		/*
+		 * We currently can't do kerberos just with an NTHASH.
+		 */
+		cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
 		goto done;
 	}