diff options
author | Stefan Metzmacher <metze@samba.org> | 2020-09-04 17:00:45 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2020-09-07 12:02:15 +0000 |
commit | 515cffb1f20eacb041ff7b3d43f8a122a82ddfbd (patch) | |
tree | 60bdb3738fc941937bbc1f58959dfc5aea0faa30 /auth/gensec | |
parent | a33a40bbc848e5691869cf264009d23a03128f31 (diff) | |
download | samba-515cffb1f20eacb041ff7b3d43f8a122a82ddfbd.tar.gz |
auth:gensec: If Kerberos is required, keep schannel for machine account auth
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'auth/gensec')
-rw-r--r-- | auth/gensec/gensec_start.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c index be199358ffc..4996e13e027 100644 --- a/auth/gensec/gensec_start.c +++ b/auth/gensec/gensec_start.c @@ -170,6 +170,15 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs( if (cli_credentials_get_netlogon_creds(creds) != NULL) { keep_schannel = true; } + + /* + * Even if Kerberos is set to REQUIRED, keep the + * schannel auth mechanism that machine accounts are + * able to authenticate via netlogon. + */ + if (gensec_security->gensec_role == GENSEC_SERVER) { + keep_schannel = true; + } } if (gensec_security->settings->backends) { |