From 521f77c6671a0a088dedcdcafd264690c123b0b3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 19 Aug 2020 15:46:11 +0200
Subject: auth:creds: Add obtained arg to cli_credentials_set_kerberos_state()

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 auth/credentials/credentials.c          | 33 +++++++++++++++++++++++++--------
 auth/credentials/credentials.h          |  5 +++--
 auth/credentials/credentials_internal.h |  3 ++-
 auth/credentials/credentials_krb5.c     |  4 +++-
 auth/credentials/credentials_ntlm.c     |  2 +-
 auth/credentials/credentials_secrets.c  |  4 +++-
 auth/credentials/pycredentials.c        |  2 +-
 auth/credentials/tests/simple.c         |  8 ++++++--
 8 files changed, 44 insertions(+), 17 deletions(-)

(limited to 'auth')

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index d851951c9ed..3975fba693f 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -44,7 +44,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
 
 	cred->winbind_separator = '\\';
 
-	cred->use_kerberos = CRED_USE_KERBEROS_DESIRED;
+	cred->kerberos_state = CRED_USE_KERBEROS_DESIRED;
 
 	cred->signing_state = SMB_SIGNING_DEFAULT;
 
@@ -108,10 +108,18 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx)
 	return anon_credentials;
 }
 
-_PUBLIC_ void cli_credentials_set_kerberos_state(struct cli_credentials *creds, 
-					enum credentials_use_kerberos use_kerberos)
+_PUBLIC_ bool cli_credentials_set_kerberos_state(struct cli_credentials *creds,
+						 enum credentials_use_kerberos kerberos_state,
+						 enum credentials_obtained obtained)
 {
-	creds->use_kerberos = use_kerberos;
+	if (obtained >= creds->kerberos_state_obtained) {
+		creds->kerberos_state = kerberos_state;
+		creds->kerberos_state_obtained = obtained;
+
+		return true;
+	}
+
+	return false;
 }
 
 _PUBLIC_ void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds,
@@ -129,7 +137,7 @@ _PUBLIC_ void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
 
 _PUBLIC_ enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds)
 {
-	return creds->use_kerberos;
+	return creds->kerberos_state;
 }
 
 _PUBLIC_ const char *cli_credentials_get_forced_sasl_mech(struct cli_credentials *creds)
@@ -982,6 +990,12 @@ _PUBLIC_ void cli_credentials_set_conf(struct cli_credentials *cred,
 		cred->encryption_state = lpcfg_client_smb_encrypt(lp_ctx);
 		cred->encryption_state_obtained = CRED_SMB_CONF;
 	}
+
+	if (cred->kerberos_state_obtained <= CRED_SMB_CONF) {
+		/* Will be set to default for invalid smb.conf values */
+		cred->kerberos_state = lpcfg_client_use_kerberos(lp_ctx);
+		cred->kerberos_state_obtained = CRED_SMB_CONF;
+	}
 }
 
 /**
@@ -1105,7 +1119,9 @@ _PUBLIC_ void cli_credentials_set_anonymous(struct cli_credentials *cred)
 	cli_credentials_set_principal(cred, NULL, CRED_SPECIFIED);
 	cli_credentials_set_realm(cred, NULL, CRED_SPECIFIED);
 	cli_credentials_set_workstation(cred, "", CRED_UNINITIALISED);
-	cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_DISABLED);
+	cli_credentials_set_kerberos_state(cred,
+					   CRED_USE_KERBEROS_DISABLED,
+					   CRED_SPECIFIED);
 }
 
 /**
@@ -1592,8 +1608,9 @@ _PUBLIC_ void cli_credentials_dump(struct cli_credentials *creds)
 		creds->self_service);
 	DBG_ERR("  Target service: %s\n",
 		creds->target_service);
-	DBG_ERR("  Kerberos state: %s\n",
-		krb5_state_to_str(creds->use_kerberos));
+	DBG_ERR("  Kerberos state: %s - %s\n",
+		krb5_state_to_str(creds->kerberos_state),
+		obtained_to_str(creds->kerberos_state_obtained));
 	DBG_ERR("  Kerberos forwardable ticket: %s\n",
 		krb5_fwd_to_str(creds->krb_forwardable));
 	DBG_ERR("  Signing state: %s - %s\n",
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 1802e383594..bcbe012ec12 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -132,8 +132,9 @@ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 					 const char **error_string);
 void cli_credentials_set_forced_sasl_mech(struct cli_credentials *creds,
 					  const char *sasl_mech);
-void cli_credentials_set_kerberos_state(struct cli_credentials *creds, 
-					enum credentials_use_kerberos use_kerberos);
+bool cli_credentials_set_kerberos_state(struct cli_credentials *creds,
+					enum credentials_use_kerberos kerberos_state,
+					enum credentials_obtained obtained);
 void cli_credentials_set_krb_forwardable(struct cli_credentials *creds,
 					 enum credentials_krb_forwardable krb_forwardable);
 bool cli_credentials_set_domain(struct cli_credentials *cred, 
diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
index 3b86b742448..d39ead3b379 100644
--- a/auth/credentials/credentials_internal.h
+++ b/auth/credentials/credentials_internal.h
@@ -40,6 +40,7 @@ struct cli_credentials {
 	enum credentials_obtained signing_state_obtained;
 	enum credentials_obtained ipc_signing_state_obtained;
 	enum credentials_obtained encryption_state_obtained;
+	enum credentials_obtained kerberos_state_obtained;
 
 	/* Threshold values (essentially a MAX() over a number of the
 	 * above) for the ccache and GSS credentials, to ensure we
@@ -101,7 +102,7 @@ struct cli_credentials {
 	bool machine_account;
 
 	/* Should we be trying to use kerberos? */
-	enum credentials_use_kerberos use_kerberos;
+	enum credentials_use_kerberos kerberos_state;
 
 	/* Should we get a forwardable ticket? */
 	enum credentials_krb_forwardable krb_forwardable;
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index d7b1c430841..c03d80ac440 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1433,7 +1433,9 @@ _PUBLIC_ void cli_credentials_set_impersonate_principal(struct cli_credentials *
 	cred->impersonate_principal = talloc_strdup(cred, principal);
 	talloc_free(cred->self_service);
 	cred->self_service = talloc_strdup(cred, self_service);
-	cli_credentials_set_kerberos_state(cred, CRED_USE_KERBEROS_REQUIRED);
+	cli_credentials_set_kerberos_state(cred,
+					   CRED_USE_KERBEROS_REQUIRED,
+					   CRED_SPECIFIED);
 }
 
 /*
diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index 1bec60e5dce..49505f64315 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -53,7 +53,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred
 	const struct samr_Password *nt_hash = NULL;
 	int rc;
 
-	if (cred->use_kerberos == CRED_USE_KERBEROS_REQUIRED) {
+	if (cred->kerberos_state == CRED_USE_KERBEROS_REQUIRED) {
 		TALLOC_FREE(frame);
 		return NT_STATUS_INVALID_PARAMETER_MIX;
 	}
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 58067a5bece..ab2c9ddeef9 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -391,7 +391,9 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account_db_ctx(struct cli_credenti
 				break;
 			}
 		}
-		cli_credentials_set_kerberos_state(cred, use_kerberos);
+		cli_credentials_set_kerberos_state(cred,
+						   use_kerberos,
+						   CRED_SPECIFIED);
 		cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
 		cli_credentials_set_password_last_changed_time(cred, secrets_tdb_lct);
 		cli_credentials_set_secure_channel_type(cred, secrets_tdb_secure_channel_type);
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index 4c9ad0bde44..127085f4950 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -569,7 +569,7 @@ static PyObject *py_creds_set_kerberos_state(PyObject *self, PyObject *args)
 	if (!PyArg_ParseTuple(args, "i", &state))
 		return NULL;
 
-	cli_credentials_set_kerberos_state(creds, state);
+	cli_credentials_set_kerberos_state(creds, state, CRED_SPECIFIED);
 	Py_RETURN_NONE;
 }
 
diff --git a/auth/credentials/tests/simple.c b/auth/credentials/tests/simple.c
index b39d7a2251b..32a9ca7c533 100644
--- a/auth/credentials/tests/simple.c
+++ b/auth/credentials/tests/simple.c
@@ -73,7 +73,9 @@ static bool test_guess(struct torture_context *tctx)
 	const char *passwd_fd = getenv("PASSWD_FD");
 	const char *passwd_file = getenv("PASSWD_FILE");
 
-	cli_credentials_set_kerberos_state(creds, CRED_USE_KERBEROS_REQUIRED);
+	cli_credentials_set_kerberos_state(creds,
+					   CRED_USE_KERBEROS_REQUIRED,
+					   CRED_SPECIFIED);
 
 	unsetenv("USER");
 	unsetenv("PASSWD_FD");
@@ -98,7 +100,9 @@ static bool test_guess(struct torture_context *tctx)
 	if (passwd_file != NULL) {
 		setenv("PASSWD_FILE", passwd_file, 1);
 	}
-	cli_credentials_set_kerberos_state(creds, old_kerb_state);
+	cli_credentials_set_kerberos_state(creds,
+					   old_kerb_state,
+					   CRED_SPECIFIED);
 
 	return true;
 }
-- 
cgit v1.2.1