diff options
author | Andreas Schneider <asn@samba.org> | 2020-08-19 15:46:11 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2021-04-28 03:43:34 +0000 |
commit | 521f77c6671a0a088dedcdcafd264690c123b0b3 (patch) | |
tree | 5f9dccec89fc63d2112d35e078fc9dad573be05f /source3 | |
parent | a00726593c2f3b464e48c22e7a757aa1a06ecff2 (diff) | |
download | samba-521f77c6671a0a088dedcdcafd264690c123b0b3.tar.gz |
auth:creds: Add obtained arg to cli_credentials_set_kerberos_state()
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source3')
-rw-r--r-- | source3/auth/auth_generic.c | 8 | ||||
-rw-r--r-- | source3/lib/netapi/cm.c | 4 | ||||
-rw-r--r-- | source3/lib/netapi/netapi.c | 3 | ||||
-rw-r--r-- | source3/lib/util_cmdline.c | 8 | ||||
-rw-r--r-- | source3/libads/sasl.c | 3 | ||||
-rw-r--r-- | source3/libnet/libnet_join.c | 3 | ||||
-rw-r--r-- | source3/libsmb/cliconnect.c | 9 | ||||
-rw-r--r-- | source3/passdb/passdb.c | 12 | ||||
-rw-r--r-- | source3/passdb/pdb_samba_dsdb.c | 6 | ||||
-rw-r--r-- | source3/rpc_client/cli_pipe.c | 4 | ||||
-rw-r--r-- | source3/rpcclient/rpcclient.c | 5 | ||||
-rw-r--r-- | source3/utils/net_ads.c | 4 | ||||
-rw-r--r-- | source3/utils/net_util.c | 9 | ||||
-rw-r--r-- | source3/utils/ntlm_auth.c | 8 | ||||
-rw-r--r-- | source3/winbindd/winbindd_cm.c | 4 |
15 files changed, 64 insertions, 26 deletions
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index e4ff2b7dedc..ebb1f19bd54 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -349,9 +349,13 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, cli_credentials_set_conf(server_credentials, lp_ctx); if (lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) { - cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED); + cli_credentials_set_kerberos_state(server_credentials, + CRED_USE_KERBEROS_DESIRED, + CRED_SPECIFIED); } else { - cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DISABLED); + cli_credentials_set_kerberos_state(server_credentials, + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); } nt_status = gensec_server_start(tmp_ctx, gensec_settings, diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c index d6b7c868c22..c54f955d617 100644 --- a/source3/lib/netapi/cm.c +++ b/source3/lib/netapi/cm.c @@ -105,7 +105,9 @@ static WERROR libnetapi_open_ipc_connection(struct libnetapi_ctx *ctx, if (username != NULL && username[0] != '\0' && password != NULL && password[0] != '\0' && krb5_state == CRED_USE_KERBEROS_REQUIRED) { - cli_credentials_set_kerberos_state(ctx->creds, CRED_USE_KERBEROS_DESIRED); + cli_credentials_set_kerberos_state(ctx->creds, + CRED_USE_KERBEROS_DESIRED, + CRED_SPECIFIED); } status = cli_cm_open(ctx, NULL, diff --git a/source3/lib/netapi/netapi.c b/source3/lib/netapi/netapi.c index a56651d100f..56e26c83fa4 100644 --- a/source3/lib/netapi/netapi.c +++ b/source3/lib/netapi/netapi.c @@ -342,7 +342,8 @@ NET_API_STATUS libnetapi_set_creds(struct libnetapi_ctx *ctx, NET_API_STATUS libnetapi_set_use_kerberos(struct libnetapi_ctx *ctx) { cli_credentials_set_kerberos_state(ctx->creds, - CRED_USE_KERBEROS_REQUIRED); + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); return NET_API_STATUS_SUCCESS; } diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c index d2af34ee19b..5374a29a514 100644 --- a/source3/lib/util_cmdline.c +++ b/source3/lib/util_cmdline.c @@ -312,7 +312,9 @@ void set_cmdline_auth_info_use_kerberos(struct user_auth_info *auth_info, krb5_state = CRED_USE_KERBEROS_DISABLED; } - cli_credentials_set_kerberos_state(auth_info->creds, krb5_state); + cli_credentials_set_kerberos_state(auth_info->creds, + krb5_state, + CRED_SPECIFIED); } bool get_cmdline_auth_info_use_kerberos(const struct user_auth_info *auth_info) @@ -351,7 +353,9 @@ void set_cmdline_auth_info_fallback_after_kerberos(struct user_auth_info *auth_i break; } - cli_credentials_set_kerberos_state(auth_info->creds, krb5_state); + cli_credentials_set_kerberos_state(auth_info->creds, + krb5_state, + CRED_SPECIFIED); } bool get_cmdline_auth_info_fallback_after_kerberos(const struct user_auth_info *auth_info) diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 90ffa040ec0..60fa2bf80cb 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -163,7 +163,8 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, } cli_credentials_set_kerberos_state(auth_generic_state->credentials, - krb5_state); + krb5_state, + CRED_SPECIFIED); if (target_service != NULL) { nt_status = gensec_set_target_service( diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index bd3aeec9434..fb28fa44dfe 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1707,7 +1707,8 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, if (use_kerberos) { cli_credentials_set_kerberos_state(cli_creds, - CRED_USE_KERBEROS_REQUIRED); + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); } status = cli_full_connection_creds(&cli, NULL, diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index b95b14b018c..b13e43f9801 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -123,13 +123,16 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx, if (use_kerberos && fallback_after_kerberos) { cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_DESIRED); + CRED_USE_KERBEROS_DESIRED, + CRED_SPECIFIED); } else if (use_kerberos) { cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_REQUIRED); + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); } else { cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_DISABLED); + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); } if (use_ccache) { diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index f4cbbe6c06e..73fcb3da308 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -2683,7 +2683,9 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, /* * It's not possible to use NTLMSSP with a domain trust account. */ - cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED); + cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); } else { /* * We can't use kerberos against an NT4 domain. @@ -2691,7 +2693,9 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, * We should have a mode that also disallows NTLMSSP here, * as only NETLOGON SCHANNEL is possible. */ - cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED); + cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); } ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED); @@ -2709,7 +2713,9 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, /* * We currently can't do kerberos just with an NTHASH. */ - cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED); + cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); goto done; } diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c index 9d1fcf8bd42..4f1d2f697f0 100644 --- a/source3/passdb/pdb_samba_dsdb.c +++ b/source3/passdb/pdb_samba_dsdb.c @@ -2518,13 +2518,15 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m, * Force kerberos if this is an active directory domain */ cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_REQUIRED); + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); } else { /* * TODO: we should allow krb5 with the raw nt hash. */ cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_DISABLED); + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); } *_creds = talloc_move(mem_ctx, &creds); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 4d6f5845062..4ed74ae52b0 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -2569,7 +2569,9 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx, goto fail; } - cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, use_kerberos); + cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, + use_kerberos, + CRED_SPECIFIED); cli_credentials_set_netlogon_creds(auth_generic_ctx->credentials, creds); status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level); diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index 2939145d594..8b59fb87c67 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -911,8 +911,9 @@ static NTSTATUS do_cmd(struct cli_state *cli, case DCERPC_AUTH_TYPE_SPNEGO: case DCERPC_AUTH_TYPE_NTLMSSP: case DCERPC_AUTH_TYPE_KRB5: - cli_credentials_set_kerberos_state( - creds, krb5_state); + cli_credentials_set_kerberos_state(creds, + krb5_state, + CRED_SPECIFIED); ntresult = cli_rpc_pipe_open_with_creds( cli, cmd_entry->table, diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 5300dfbef80..fbafa51cbb8 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -2478,7 +2478,9 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char * talloc_destroy(mem_ctx); return -1; } - cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED); + cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); nt_status = cli_full_connection_creds(&cli, lp_netbios_name(), servername, &server_ss, 0, diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c index 7383d593f53..5747bfa581a 100644 --- a/source3/utils/net_util.c +++ b/source3/utils/net_util.c @@ -499,13 +499,16 @@ struct cli_credentials *net_context_creds(struct net_context *c, if (c->opt_kerberos && c->opt_user_specified) { cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_DESIRED); + CRED_USE_KERBEROS_DESIRED, + CRED_SPECIFIED); } else if (c->opt_kerberos) { cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_REQUIRED); + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); } else { cli_credentials_set_kerberos_state(creds, - CRED_USE_KERBEROS_DISABLED); + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); } if (c->opt_ccache) { diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 0370803167f..d833ee90b35 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -1365,9 +1365,13 @@ static NTSTATUS ntlm_auth_prepare_gensec_server(TALLOC_CTX *mem_ctx, cli_credentials_set_conf(server_credentials, lp_ctx); if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) { - cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED); + cli_credentials_set_kerberos_state(server_credentials, + CRED_USE_KERBEROS_DESIRED, + CRED_SPECIFIED); } else { - cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DISABLED); + cli_credentials_set_kerberos_state(server_credentials, + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); } nt_status = gensec_server_start(tmp_ctx, gensec_settings, diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 431916a82a3..df785a0ba62 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -708,7 +708,9 @@ static NTSTATUS cm_get_ipc_credentials(TALLOC_CTX *mem_ctx, } cli_credentials_set_conf(creds, lp_ctx); - cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED); + cli_credentials_set_kerberos_state(creds, + CRED_USE_KERBEROS_DISABLED, + CRED_SPECIFIED); ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED); if (!ok) { |