diff options
30 files changed, 84 insertions, 78 deletions
diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c index 77c35dd104b..1bdd6f15a09 100644 --- a/auth/credentials/credentials.c +++ b/auth/credentials/credentials.c @@ -44,6 +44,8 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->winbind_separator = '\\'; + cred->use_kerberos = CRED_USE_KERBEROS_DESIRED; + cred->signing_state = SMB_SIGNING_DEFAULT; /* @@ -360,7 +362,7 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c return true; } - if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) { + if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) { return true; } @@ -1018,7 +1020,7 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred, } if (lp_ctx != NULL && - cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) { + cli_credentials_get_kerberos_state(cred) != CRED_USE_KERBEROS_DISABLED) { cli_credentials_set_ccache(cred, lp_ctx, NULL, CRED_GUESS_FILE, &error_string); } @@ -1097,7 +1099,7 @@ _PUBLIC_ void cli_credentials_set_anonymous(struct cli_credentials *cred) cli_credentials_set_principal(cred, NULL, CRED_SPECIFIED); cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED); cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED); - cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS); + cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_DISABLED); } /** diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h index 4c140615751..f468b8558dd 100644 --- a/auth/credentials/credentials.h +++ b/auth/credentials/credentials.h @@ -53,9 +53,12 @@ enum credentials_obtained { }; enum credentials_use_kerberos { - CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */ - CRED_DONT_USE_KERBEROS, /* Sometimes trying kerberos just does 'bad things', so don't */ - CRED_MUST_USE_KERBEROS /* Sometimes administrators are paranoid, so always do kerberos */ + /** Sometimes trying kerberos just does 'bad things', so don't */ + CRED_USE_KERBEROS_DISABLED = 0, + /** Default, we try kerberos if available */ + CRED_USE_KERBEROS_DESIRED, + /** Sometimes administrators are paranoid, so always do kerberos */ + CRED_USE_KERBEROS_REQUIRED, }; enum credentials_krb_forwardable { diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index c321f713130..d7b1c430841 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -873,7 +873,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx, &ccache, error_string); if (ret) { - if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) { + if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) { DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string)); } else { DEBUG(4, ("Failed to get kerberos credentials: %s\n", *error_string)); @@ -1433,7 +1433,7 @@ _PUBLIC_ void cli_credentials_set_impersonate_principal(struct cli_credentials * cred->impersonate_principal = talloc_strdup(cred, principal); talloc_free(cred->self_service); cred->self_service = talloc_strdup(cred, self_service); - cli_credentials_set_kerberos_state(cred, CRED_MUST_USE_KERBEROS); + cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_REQUIRED); } /* diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c index f1b22a6c9e2..1bec60e5dce 100644 --- a/auth/credentials/credentials_ntlm.c +++ b/auth/credentials/credentials_ntlm.c @@ -53,7 +53,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred const struct samr_Password *nt_hash = NULL; int rc; - if (cred->use_kerberos == CRED_MUST_USE_KERBEROS) { + if (cred->use_kerberos == CRED_USE_KERBEROS_REQUIRED) { TALLOC_FREE(frame); return NT_STATUS_INVALID_PARAMETER_MIX; } diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c index 52a89d4d5b4..58067a5bece 100644 --- a/auth/credentials/credentials_secrets.c +++ b/auth/credentials/credentials_secrets.c @@ -370,7 +370,8 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti } if (secrets_tdb_password_more_recent) { - enum credentials_use_kerberos use_kerberos = CRED_DONT_USE_KERBEROS; + enum credentials_use_kerberos use_kerberos = + CRED_USE_KERBEROS_DISABLED; char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx)); cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED); cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED); @@ -386,7 +387,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti FALL_THROUGH; case ROLE_ACTIVE_DIRECTORY_DC: - use_kerberos = CRED_AUTO_USE_KERBEROS; + use_kerberos = CRED_USE_KERBEROS_DESIRED; break; } } diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 17c90573f09..95dde276ef7 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -1492,9 +1492,9 @@ MODULE_INIT_FUNC(credentials) PyModule_AddObject(m, "CALLBACK_RESULT", PyLong_FromLong(CRED_CALLBACK_RESULT)); PyModule_AddObject(m, "SPECIFIED", PyLong_FromLong(CRED_SPECIFIED)); - PyModule_AddObject(m, "AUTO_USE_KERBEROS", PyLong_FromLong(CRED_AUTO_USE_KERBEROS)); - PyModule_AddObject(m, "DONT_USE_KERBEROS", PyLong_FromLong(CRED_DONT_USE_KERBEROS)); - PyModule_AddObject(m, "MUST_USE_KERBEROS", PyLong_FromLong(CRED_MUST_USE_KERBEROS)); + PyModule_AddObject(m, "AUTO_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_DESIRED)); + PyModule_AddObject(m, "DONT_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_DISABLED)); + PyModule_AddObject(m, "MUST_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_REQUIRED)); PyModule_AddObject(m, "AUTO_KRB_FORWARDABLE", PyLong_FromLong(CRED_AUTO_KRB_FORWARDABLE)); PyModule_AddObject(m, "NO_KRB_FORWARDABLE", PyLong_FromLong(CRED_NO_KRB_FORWARDABLE)); diff --git a/auth/credentials/tests/simple.c b/auth/credentials/tests/simple.c index 7f122bed3bc..b39d7a2251b 100644 --- a/auth/credentials/tests/simple.c +++ b/auth/credentials/tests/simple.c @@ -73,7 +73,7 @@ static bool test_guess(struct torture_context *tctx) const char *passwd_fd = getenv("PASSWD_FD"); const char *passwd_file = getenv("PASSWD_FILE"); - cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS); + cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED); unsetenv("USER"); unsetenv("PASSWD_FD"); diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build index 1e3302e3e48..ad16b7d8008 100644 --- a/auth/credentials/wscript_build +++ b/auth/credentials/wscript_build @@ -5,7 +5,7 @@ bld.SAMBA_LIBRARY('samba-credentials', public_headers='credentials.h', pc_files='samba-credentials.pc', deps='LIBCRYPTO samba-errors events LIBCLI_AUTH samba-security CREDENTIALS_SECRETS CREDENTIALS_KRB5', - vnum='0.1.0' + vnum='1.0.0' ) bld.SAMBA_SUBSYSTEM('CREDENTIALS_KRB5', diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c index 4996e13e027..0a484eefcf4 100644 --- a/auth/gensec/gensec_start.c +++ b/auth/gensec/gensec_start.c @@ -119,18 +119,18 @@ static const struct gensec_security_ops **gensec_use_kerberos_mechs( } switch (use_kerberos) { - case CRED_AUTO_USE_KERBEROS: + case CRED_USE_KERBEROS_DESIRED: keep = true; break; - case CRED_DONT_USE_KERBEROS: + case CRED_USE_KERBEROS_DISABLED: if (old_gensec_list[i]->kerberos == false) { keep = true; } break; - case CRED_MUST_USE_KERBEROS: + case CRED_USE_KERBEROS_REQUIRED: if (old_gensec_list[i]->kerberos == true) { keep = true; } @@ -158,7 +158,7 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs( TALLOC_CTX *mem_ctx) { const struct gensec_security_ops * const *backends = gensec_security_all(); - enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS; + enum credentials_use_kerberos use_kerberos = CRED_USE_KERBEROS_DESIRED; bool keep_schannel = false; if (gensec_security != NULL) { diff --git a/examples/winexe/winexe.c b/examples/winexe/winexe.c index 03e7ec85198..95386211c0a 100644 --- a/examples/winexe/winexe.c +++ b/examples/winexe/winexe.c @@ -283,8 +283,8 @@ static void parse_args(int argc, const char *argv[], if (opt_kerberos) { cli_credentials_set_kerberos_state(cred, strcmp(opt_kerberos, "yes") - ? CRED_MUST_USE_KERBEROS - : CRED_DONT_USE_KERBEROS); + ? CRED_USE_KERBEROS_REQUIRED + : CRED_USE_KERBEROS_DISABLED); } if (options->runas == NULL && options->runas_file != NULL) { diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index 0e9500ac08d..f314acd9559 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -356,9 +356,9 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, cli_credentials_set_conf(server_credentials, lp_ctx); if (lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) { - cli_credentials_set_kerberos_state(server_credentials, CRED_AUTO_USE_KERBEROS); + cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED); } else { - cli_credentials_set_kerberos_state(server_credentials, CRED_DONT_USE_KERBEROS); + cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DISABLED); } nt_status = gensec_server_start(tmp_ctx, gensec_settings, diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c index 9c9e2f0ac0f..d2af34ee19b 100644 --- a/source3/lib/util_cmdline.c +++ b/source3/lib/util_cmdline.c @@ -307,9 +307,9 @@ void set_cmdline_auth_info_use_kerberos(struct user_auth_info *auth_info, enum credentials_use_kerberos krb5_state; if (b) { - krb5_state = CRED_MUST_USE_KERBEROS; + krb5_state = CRED_USE_KERBEROS_REQUIRED; } else { - krb5_state = CRED_DONT_USE_KERBEROS; + krb5_state = CRED_USE_KERBEROS_DISABLED; } cli_credentials_set_kerberos_state(auth_info->creds, krb5_state); @@ -321,7 +321,7 @@ bool get_cmdline_auth_info_use_kerberos(const struct user_auth_info *auth_info) krb5_state = cli_credentials_get_kerberos_state(auth_info->creds); - if (krb5_state == CRED_MUST_USE_KERBEROS) { + if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { return true; } @@ -336,17 +336,17 @@ void set_cmdline_auth_info_fallback_after_kerberos(struct user_auth_info *auth_i krb5_state = cli_credentials_get_kerberos_state(auth_info->creds); switch (krb5_state) { - case CRED_MUST_USE_KERBEROS: + case CRED_USE_KERBEROS_REQUIRED: if (b) { - krb5_state = CRED_AUTO_USE_KERBEROS; + krb5_state = CRED_USE_KERBEROS_DESIRED; } break; - case CRED_AUTO_USE_KERBEROS: + case CRED_USE_KERBEROS_DESIRED: if (!b) { - krb5_state = CRED_MUST_USE_KERBEROS; + krb5_state = CRED_USE_KERBEROS_REQUIRED; } break; - case CRED_DONT_USE_KERBEROS: + case CRED_USE_KERBEROS_DISABLED: /* nothing to do */ break; } @@ -360,7 +360,7 @@ bool get_cmdline_auth_info_fallback_after_kerberos(const struct user_auth_info * krb5_state = cli_credentials_get_kerberos_state(auth_info->creds); - if (krb5_state == CRED_AUTO_USE_KERBEROS) { + if (krb5_state == CRED_USE_KERBEROS_DESIRED) { return true; } diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 87beeafe3ed..90ffa040ec0 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -158,7 +158,7 @@ static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads, use_spnego_principal = false; } - if (krb5_state == CRED_DONT_USE_KERBEROS) { + if (krb5_state == CRED_USE_KERBEROS_DISABLED) { use_spnego_principal = false; } @@ -565,7 +565,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) { status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", - CRED_MUST_USE_KERBEROS, + CRED_USE_KERBEROS_REQUIRED, p.service, p.hostname, blob); if (ADS_ERR_OK(status)) { @@ -581,7 +581,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) if (ADS_ERR_OK(status)) { status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", - CRED_MUST_USE_KERBEROS, + CRED_USE_KERBEROS_REQUIRED, p.service, p.hostname, blob); if (!ADS_ERR_OK(status)) { @@ -616,7 +616,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) library for HMAC_MD4 encryption */ mech = "NTLMSSP"; status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", - CRED_DONT_USE_KERBEROS, + CRED_USE_KERBEROS_DISABLED, p.service, p.hostname, data_blob_null); done: diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index f3bf27e6c00..bd3aeec9434 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1707,7 +1707,7 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, if (use_kerberos) { cli_credentials_set_kerberos_state(cli_creds, - CRED_MUST_USE_KERBEROS); + CRED_USE_KERBEROS_REQUIRED); } status = cli_full_connection_creds(&cli, NULL, diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index bdc709f3e01..c0c03fbdd23 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -124,13 +124,13 @@ struct cli_credentials *cli_session_creds_init(TALLOC_CTX *mem_ctx, if (use_kerberos && fallback_after_kerberos) { cli_credentials_set_kerberos_state(creds, - CRED_AUTO_USE_KERBEROS); + CRED_USE_KERBEROS_DESIRED); } else if (use_kerberos) { cli_credentials_set_kerberos_state(creds, - CRED_MUST_USE_KERBEROS); + CRED_USE_KERBEROS_REQUIRED); } else { cli_credentials_set_kerberos_state(creds, - CRED_DONT_USE_KERBEROS); + CRED_USE_KERBEROS_DISABLED); } if (use_ccache) { @@ -255,7 +255,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, krb5_state = cli_credentials_get_kerberos_state(creds); - if (krb5_state != CRED_DONT_USE_KERBEROS) { + if (krb5_state != CRED_USE_KERBEROS_DISABLED) { try_kerberos = true; } @@ -275,7 +275,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, try_kerberos = false; } - if (krb5_state == CRED_MUST_USE_KERBEROS && !try_kerberos) { + if (krb5_state == CRED_USE_KERBEROS_REQUIRED && !try_kerberos) { DEBUG(0, ("Kerberos auth with '%s' (%s\\%s) to access " "'%s' not possible\n", user_principal, user_domain, user_account, @@ -286,7 +286,7 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, if (pass == NULL || strlen(pass) == 0) { need_kinit = false; - } else if (krb5_state == CRED_MUST_USE_KERBEROS) { + } else if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { need_kinit = try_kerberos; } else { need_kinit = try_kerberos; @@ -321,14 +321,14 @@ NTSTATUS cli_session_creds_prepare_krb5(struct cli_state *cli, if (ret != 0) { int dbglvl = DBGLVL_NOTICE; - if (krb5_state == CRED_MUST_USE_KERBEROS) { + if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { dbglvl = DBGLVL_ERR; } DEBUG(dbglvl, ("Kinit for %s to access %s failed: %s\n", user_principal, target_hostname, error_message(ret))); - if (krb5_state == CRED_MUST_USE_KERBEROS) { + if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { TALLOC_FREE(frame); return krb5_to_nt_status(ret); } diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c index a598d75fb04..71ba5dc2b2e 100644 --- a/source3/passdb/passdb.c +++ b/source3/passdb/passdb.c @@ -2631,7 +2631,7 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, /* * It's not possible to use NTLMSSP with a domain trust account. */ - cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS); + cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED); } else { /* * We can't use kerberos against an NT4 domain. @@ -2639,7 +2639,7 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, * We should have a mode that also disallows NTLMSSP here, * as only NETLOGON SCHANNEL is possible. */ - cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS); + cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED); } ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED); @@ -2657,7 +2657,7 @@ NTSTATUS pdb_get_trust_credentials(const char *netbios_domain, /* * We currently can't do kerberos just with an NTHASH. */ - cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS); + cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED); goto done; } diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c index 276bda88efc..93e8f5bebe6 100644 --- a/source3/passdb/pdb_samba_dsdb.c +++ b/source3/passdb/pdb_samba_dsdb.c @@ -2599,13 +2599,13 @@ static NTSTATUS pdb_samba_dsdb_get_trusteddom_creds(struct pdb_methods *m, * Force kerberos if this is an active directory domain */ cli_credentials_set_kerberos_state(creds, - CRED_MUST_USE_KERBEROS); + CRED_USE_KERBEROS_REQUIRED); } else { /* * TODO: we should allow krb5 with the raw nt hash. */ cli_credentials_set_kerberos_state(creds, - CRED_DONT_USE_KERBEROS); + CRED_USE_KERBEROS_DISABLED); } *_creds = talloc_move(mem_ctx, &creds); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 074d01828ad..5ab559614f7 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -2655,7 +2655,7 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx, NAME_NT_AUTHORITY, /* domain */ "SYSTEM", NULL, /* password */ - CRED_DONT_USE_KERBEROS, + CRED_USE_KERBEROS_DISABLED, NULL, /* netlogon_creds_CredentialState */ presult); } diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index 575a42ebf70..a38f69f5592 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -810,19 +810,19 @@ static NTSTATUS do_cmd(struct cli_state *cli, case DCERPC_AUTH_TYPE_SPNEGO: switch (pipe_default_auth_spnego_type) { case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP: - krb5_state = CRED_DONT_USE_KERBEROS; + krb5_state = CRED_USE_KERBEROS_DISABLED; break; case PIPE_AUTH_TYPE_SPNEGO_KRB5: - krb5_state = CRED_MUST_USE_KERBEROS; + krb5_state = CRED_USE_KERBEROS_REQUIRED; break; case PIPE_AUTH_TYPE_SPNEGO_NONE: - krb5_state = CRED_AUTO_USE_KERBEROS; + krb5_state = CRED_USE_KERBEROS_DESIRED; break; } FALL_THROUGH; case DCERPC_AUTH_TYPE_NTLMSSP: case DCERPC_AUTH_TYPE_KRB5: - if (krb5_state != CRED_AUTO_USE_KERBEROS) { + if (krb5_state != CRED_USE_KERBEROS_DESIRED) { cli_credentials_set_kerberos_state(creds, krb5_state); } diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 9a3491ee917..bcb9c9d5dde 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -2515,7 +2515,7 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char * talloc_destroy(mem_ctx); return -1; } - cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS); + cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED); nt_status = cli_full_connection_creds(&cli, lp_netbios_name(), servername, &server_ss, 0, diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c index 5829d891075..6c5321db0fd 100644 --- a/source3/utils/net_util.c +++ b/source3/utils/net_util.c @@ -493,13 +493,13 @@ struct cli_credentials *net_context_creds(struct net_context *c, if (c->opt_kerberos && c->opt_user_specified) { cli_credentials_set_kerberos_state(creds, - CRED_AUTO_USE_KERBEROS); + CRED_USE_KERBEROS_DESIRED); } else if (c->opt_kerberos) { cli_credentials_set_kerberos_state(creds, - CRED_MUST_USE_KERBEROS); + CRED_USE_KERBEROS_REQUIRED); } else { cli_credentials_set_kerberos_state(creds, - CRED_DONT_USE_KERBEROS); + CRED_USE_KERBEROS_DISABLED); } if (c->opt_ccache) { diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index bc14d2f228f..0370803167f 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -1365,9 +1365,9 @@ static NTSTATUS ntlm_auth_prepare_gensec_server(TALLOC_CTX *mem_ctx, cli_credentials_set_conf(server_credentials, lp_ctx); if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC || lp_security() == SEC_ADS || USE_KERBEROS_KEYTAB) { - cli_credentials_set_kerberos_state(server_credentials, CRED_AUTO_USE_KERBEROS); + cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DESIRED); } else { - cli_credentials_set_kerberos_state(server_credentials, CRED_DONT_USE_KERBEROS); + cli_credentials_set_kerberos_state(server_credentials, CRED_USE_KERBEROS_DISABLED); } nt_status = gensec_server_start(tmp_ctx, gensec_settings, diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index e7399434536..4c1ccb479ff 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -707,7 +707,7 @@ static NTSTATUS cm_get_ipc_credentials(TALLOC_CTX *mem_ctx, } cli_credentials_set_conf(creds, lp_ctx); - cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS); + cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_DISABLED); ok = cli_credentials_set_domain(creds, netbios_domain, CRED_SPECIFIED); if (!ok) { diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 1b0852795fd..2a261a1664f 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1557,7 +1557,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi } /* This credential handle isn't useful for password authentication, so ensure nobody tries to do that */ - cli_credentials_set_kerberos_state(session_info->credentials, CRED_MUST_USE_KERBEROS); + cli_credentials_set_kerberos_state(session_info->credentials, CRED_USE_KERBEROS_REQUIRED); /* It has been taken from this place... */ gensec_gssapi_state->delegated_cred_handle = GSS_C_NO_CREDENTIAL; diff --git a/source4/auth/session.c b/source4/auth/session.c index c5fc226a7d7..8e44dcd24f1 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -295,7 +295,7 @@ struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx, /* This credential handle isn't useful for password * authentication, so ensure nobody tries to do that */ cli_credentials_set_kerberos_state(creds, - CRED_MUST_USE_KERBEROS); + CRED_USE_KERBEROS_REQUIRED); } #endif diff --git a/source4/lib/cmdline/popt_credentials.c b/source4/lib/cmdline/popt_credentials.c index 5dd61f6339c..7d8963da99e 100644 --- a/source4/lib/cmdline/popt_credentials.c +++ b/source4/lib/cmdline/popt_credentials.c @@ -120,8 +120,8 @@ static void popt_common_credentials_callback(poptContext con, cli_credentials_set_kerberos_state( popt_get_cmdline_credentials(), use_kerberos - ? CRED_MUST_USE_KERBEROS - : CRED_DONT_USE_KERBEROS); + ? CRED_USE_KERBEROS_REQUIRED + : CRED_USE_KERBEROS_DISABLED); break; } diff --git a/source4/torture/ldap/session_expiry.c b/source4/torture/ldap/session_expiry.c index 35dda439b17..e5e38450745 100644 --- a/source4/torture/ldap/session_expiry.c +++ b/source4/torture/ldap/session_expiry.c @@ -55,7 +55,7 @@ bool torture_ldap_session_expiry(struct torture_context *torture) torture, url!=NULL, ret, fail, "talloc_asprintf failed"); cli_credentials_set_kerberos_state( - credentials, CRED_MUST_USE_KERBEROS); + credentials, CRED_USE_KERBEROS_REQUIRED); ok = lpcfg_set_option( torture->lp_ctx, "gensec_gssapi:requested_life_time=4"); diff --git a/source4/torture/raw/session.c b/source4/torture/raw/session.c index 0c460ae3069..e246d25e9fb 100644 --- a/source4/torture/raw/session.c +++ b/source4/torture/raw/session.c @@ -245,12 +245,12 @@ static bool test_session_expire1(struct torture_context *tctx) use_kerberos = cli_credentials_get_kerberos_state( popt_get_cmdline_credentials()); - if (use_kerberos != CRED_MUST_USE_KERBEROS) { + if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) { torture_warning(tctx, "smb2.session.expire1 requires -k yes!"); torture_skip(tctx, "smb2.session.expire1 requires -k yes!"); } - torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS, + torture_assert_int_equal(tctx, use_kerberos, CRED_USE_KERBEROS_REQUIRED, "please use -k yes"); lpcfg_set_option(tctx->lp_ctx, "gensec_gssapi:requested_life_time=4"); diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index fff0b1aacbd..a5755041040 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -965,8 +965,8 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture) torture_assert(torture, s->join_ctx2 != NULL, "Failed to join domain with acct_flags=ACB_WSTRUST"); - cli_credentials_set_kerberos_state(s->wks_creds1, CRED_DONT_USE_KERBEROS); - cli_credentials_set_kerberos_state(s->wks_creds2, CRED_DONT_USE_KERBEROS); + cli_credentials_set_kerberos_state(s->wks_creds1, CRED_USE_KERBEROS_DISABLED); + cli_credentials_set_kerberos_state(s->wks_creds2, CRED_USE_KERBEROS_DISABLED); for (i=0; i < s->nprocs; i++) { struct cli_credentials *wks = s->wks_creds1; diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c index 07c6faebb15..701dfc10a07 100644 --- a/source4/torture/smb2/session.c +++ b/source4/torture/smb2/session.c @@ -956,7 +956,7 @@ bool test_session_reauth6(struct torture_context *tctx, struct smb2_tree *tree) krb_state = cli_credentials_get_kerberos_state( popt_get_cmdline_credentials()); - if (krb_state == CRED_MUST_USE_KERBEROS) { + if (krb_state == CRED_USE_KERBEROS_REQUIRED) { torture_skip(tctx, "Can't test failing session setup with kerberos."); } @@ -1064,12 +1064,12 @@ static bool test_session_expire1i(struct torture_context *tctx, size_t i; use_kerberos = cli_credentials_get_kerberos_state(credentials); - if (use_kerberos != CRED_MUST_USE_KERBEROS) { + if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) { torture_warning(tctx, "smb2.session.expire1 requires -k yes!"); torture_skip(tctx, "smb2.session.expire1 requires -k yes!"); } - torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS, + torture_assert_int_equal(tctx, use_kerberos, CRED_USE_KERBEROS_REQUIRED, "please use -k yes"); cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED); @@ -1250,12 +1250,12 @@ static bool test_session_expire2i(struct torture_context *tctx, struct smb2_notify ntf2; use_kerberos = cli_credentials_get_kerberos_state(credentials); - if (use_kerberos != CRED_MUST_USE_KERBEROS) { + if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) { torture_warning(tctx, "smb2.session.expire2 requires -k yes!"); torture_skip(tctx, "smb2.session.expire2 requires -k yes!"); } - torture_assert_int_equal(tctx, use_kerberos, CRED_MUST_USE_KERBEROS, + torture_assert_int_equal(tctx, use_kerberos, CRED_USE_KERBEROS_REQUIRED, "please use -k yes"); cli_credentials_invalidate_ccache(credentials, CRED_SPECIFIED); @@ -1612,7 +1612,7 @@ static bool test_session_expire_disconnect(struct torture_context *tctx) bool connected; use_kerberos = cli_credentials_get_kerberos_state(credentials); - if (use_kerberos != CRED_MUST_USE_KERBEROS) { + if (use_kerberos != CRED_USE_KERBEROS_REQUIRED) { torture_warning(tctx, "smb2.session.expire1 requires -k yes!"); torture_skip(tctx, "smb2.session.expire1 requires -k yes!"); } |