From 1298280a22ef7494fb85a6a5953bae15d22fa204 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 20 Aug 2020 09:40:41 +0200
Subject: auth:creds: Rename CRED_USE_KERBEROS values

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
 auth/credentials/credentials.c         | 8 +++++---
 auth/credentials/credentials.h         | 9 ++++++---
 auth/credentials/credentials_krb5.c    | 4 ++--
 auth/credentials/credentials_ntlm.c    | 2 +-
 auth/credentials/credentials_secrets.c | 5 +++--
 auth/credentials/pycredentials.c       | 6 +++---
 auth/credentials/tests/simple.c        | 2 +-
 auth/credentials/wscript_build         | 2 +-
 auth/gensec/gensec_start.c             | 8 ++++----
 9 files changed, 26 insertions(+), 20 deletions(-)

(limited to 'auth')

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 77c35dd104b..1bdd6f15a09 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -44,6 +44,8 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
 
 	cred->winbind_separator = '\\';
 
+	cred->use_kerberos = CRED_USE_KERBEROS_DESIRED;
+
 	cred->signing_state = SMB_SIGNING_DEFAULT;
 
 	/*
@@ -360,7 +362,7 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c
 		return true;
 	}
 
-	if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
+	if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) {
 		return true;
 	}
 
@@ -1018,7 +1020,7 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred,
 	}
 	
 	if (lp_ctx != NULL &&
-	    cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) {
+	    cli_credentials_get_kerberos_state(cred) != CRED_USE_KERBEROS_DISABLED) {
 		cli_credentials_set_ccache(cred, lp_ctx, NULL, CRED_GUESS_FILE,
 					   &error_string);
 	}
@@ -1097,7 +1099,7 @@ _PUBLIC_ void cli_credentials_set_anonymous(struct cli_credentials *cred)
 	cli_credentials_set_principal(cred, NULL, CRED_SPECIFIED);
 	cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED);
 	cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED);
-	cli_credentials_set_kerberos_state(cred, CRED_DONT_USE_KERBEROS);
+	cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_DISABLED);
 }
 
 /**
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 4c140615751..f468b8558dd 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -53,9 +53,12 @@ enum credentials_obtained {
 };
 
 enum credentials_use_kerberos {
-	CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
-	CRED_DONT_USE_KERBEROS,     /* Sometimes trying kerberos just does 'bad things', so don't */
-	CRED_MUST_USE_KERBEROS      /* Sometimes administrators are paranoid, so always do kerberos */
+	/** Sometimes trying kerberos just does 'bad things', so don't */
+	CRED_USE_KERBEROS_DISABLED = 0,
+	/** Default, we try kerberos if available */
+	CRED_USE_KERBEROS_DESIRED,
+	/** Sometimes administrators are paranoid, so always do kerberos */
+	CRED_USE_KERBEROS_REQUIRED,
 };
 
 enum credentials_krb_forwardable {
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index c321f713130..d7b1c430841 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -873,7 +873,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 	ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx,
 					 &ccache, error_string);
 	if (ret) {
-		if (cli_credentials_get_kerberos_state(cred) == CRED_MUST_USE_KERBEROS) {
+		if (cli_credentials_get_kerberos_state(cred) == CRED_USE_KERBEROS_REQUIRED) {
 			DEBUG(1, ("Failed to get kerberos credentials (kerberos required): %s\n", *error_string));
 		} else {
 			DEBUG(4, ("Failed to get kerberos credentials: %s\n", *error_string));
@@ -1433,7 +1433,7 @@ _PUBLIC_ void cli_credentials_set_impersonate_principal(struct cli_credentials *
 	cred->impersonate_principal = talloc_strdup(cred, principal);
 	talloc_free(cred->self_service);
 	cred->self_service = talloc_strdup(cred, self_service);
-	cli_credentials_set_kerberos_state(cred, CRED_MUST_USE_KERBEROS);
+	cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_REQUIRED);
 }
 
 /*
diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index f1b22a6c9e2..1bec60e5dce 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -53,7 +53,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
 	const struct samr_Password *nt_hash = NULL;
 	int rc;
 
-	if (cred->use_kerberos == CRED_MUST_USE_KERBEROS) {
+	if (cred->use_kerberos == CRED_USE_KERBEROS_REQUIRED) {
 		TALLOC_FREE(frame);
 		return NT_STATUS_INVALID_PARAMETER_MIX;
 	}
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 52a89d4d5b4..58067a5bece 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -370,7 +370,8 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
 	}
 
 	if (secrets_tdb_password_more_recent) {
-		enum credentials_use_kerberos use_kerberos = CRED_DONT_USE_KERBEROS;
+		enum credentials_use_kerberos use_kerberos =
+			CRED_USE_KERBEROS_DISABLED;
 		char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
 		cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
 		cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
@@ -386,7 +387,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
 
 				FALL_THROUGH;
 			case ROLE_ACTIVE_DIRECTORY_DC:
-				use_kerberos = CRED_AUTO_USE_KERBEROS;
+				use_kerberos = CRED_USE_KERBEROS_DESIRED;
 				break;
 			}
 		}
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index 17c90573f09..95dde276ef7 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -1492,9 +1492,9 @@ MODULE_INIT_FUNC(credentials)
 	PyModule_AddObject(m, "CALLBACK_RESULT", PyLong_FromLong(CRED_CALLBACK_RESULT));
 	PyModule_AddObject(m, "SPECIFIED", PyLong_FromLong(CRED_SPECIFIED));
 
-	PyModule_AddObject(m, "AUTO_USE_KERBEROS", PyLong_FromLong(CRED_AUTO_USE_KERBEROS));
-	PyModule_AddObject(m, "DONT_USE_KERBEROS", PyLong_FromLong(CRED_DONT_USE_KERBEROS));
-	PyModule_AddObject(m, "MUST_USE_KERBEROS", PyLong_FromLong(CRED_MUST_USE_KERBEROS));
+	PyModule_AddObject(m, "AUTO_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_DESIRED));
+	PyModule_AddObject(m, "DONT_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_DISABLED));
+	PyModule_AddObject(m, "MUST_USE_KERBEROS", PyLong_FromLong(CRED_USE_KERBEROS_REQUIRED));
 
 	PyModule_AddObject(m, "AUTO_KRB_FORWARDABLE",  PyLong_FromLong(CRED_AUTO_KRB_FORWARDABLE));
 	PyModule_AddObject(m, "NO_KRB_FORWARDABLE",    PyLong_FromLong(CRED_NO_KRB_FORWARDABLE));
diff --git a/auth/credentials/tests/simple.c b/auth/credentials/tests/simple.c
index 7f122bed3bc..b39d7a2251b 100644
--- a/auth/credentials/tests/simple.c
+++ b/auth/credentials/tests/simple.c
@@ -73,7 +73,7 @@ static bool test_guess(struct torture_context *tctx)
 	const char *passwd_fd = getenv("PASSWD_FD");
 	const char *passwd_file = getenv("PASSWD_FILE");
 
-	cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS);
+	cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED);
 
 	unsetenv("USER");
 	unsetenv("PASSWD_FD");
diff --git a/auth/credentials/wscript_build b/auth/credentials/wscript_build
index 1e3302e3e48..ad16b7d8008 100644
--- a/auth/credentials/wscript_build
+++ b/auth/credentials/wscript_build
@@ -5,7 +5,7 @@ bld.SAMBA_LIBRARY('samba-credentials',
 	public_headers='credentials.h',
 	pc_files='samba-credentials.pc',
 	deps='LIBCRYPTO samba-errors events LIBCLI_AUTH samba-security CREDENTIALS_SECRETS CREDENTIALS_KRB5',
-	vnum='0.1.0'
+	vnum='1.0.0'
 	)
 
 bld.SAMBA_SUBSYSTEM('CREDENTIALS_KRB5',
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 4996e13e027..0a484eefcf4 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -119,18 +119,18 @@ static const struct gensec_security_ops **gensec_use_kerberos_mechs(
 		}
 
 		switch (use_kerberos) {
-		case CRED_AUTO_USE_KERBEROS:
+		case CRED_USE_KERBEROS_DESIRED:
 			keep = true;
 			break;
 
-		case CRED_DONT_USE_KERBEROS:
+		case CRED_USE_KERBEROS_DISABLED:
 			if (old_gensec_list[i]->kerberos == false) {
 				keep = true;
 			}
 
 			break;
 
-		case CRED_MUST_USE_KERBEROS:
+		case CRED_USE_KERBEROS_REQUIRED:
 			if (old_gensec_list[i]->kerberos == true) {
 				keep = true;
 			}
@@ -158,7 +158,7 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
 				TALLOC_CTX *mem_ctx)
 {
 	const struct gensec_security_ops * const *backends = gensec_security_all();
-	enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
+	enum credentials_use_kerberos use_kerberos = CRED_USE_KERBEROS_DESIRED;
 	bool keep_schannel = false;
 
 	if (gensec_security != NULL) {
-- 
cgit v1.2.1