From 1cd233712e1a62d716a1d8b34ff3dca6a8f0f501 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 19 Aug 2020 11:34:02 +0200
Subject: lib:param: Add 'client use kerberos' config parameter

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 lib/param/loadparm.c    | 14 ++++++++++++++
 lib/param/param_table.c | 12 ++++++++++++
 2 files changed, 26 insertions(+)

(limited to 'lib/param')

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 6a4ae555759..7b0f652c069 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -74,6 +74,7 @@
 #include "libcli/auth/ntlm_check.h"
 #include "lib/crypto/gnutls_helpers.h"
 #include "lib/util/smb_strtox.h"
+#include "auth/credentials/credentials.h"
 
 #ifdef HAVE_HTTPCONNECTENCRYPT
 #include <cups/http.h>
@@ -2947,6 +2948,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 				  "client smb encrypt",
 				  "default");
 
+	lpcfg_do_global_parameter(lp_ctx,
+				  "client use kerberos",
+				  "desired");
+
 	for (i = 0; parm_table[i].label; i++) {
 		if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
 			lp_ctx->flags[i] |= FLAG_DEFAULT;
@@ -3383,6 +3388,15 @@ int lpcfg_client_ipc_signing(struct loadparm_context *lp_ctx)
 	return client_ipc_signing;
 }
 
+enum credentials_use_kerberos lpcfg_client_use_kerberos(struct loadparm_context *lp_ctx)
+{
+	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		return CRED_USE_KERBEROS_REQUIRED;
+	}
+
+	return lpcfg__client_use_kerberos(lp_ctx);
+}
+
 bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandatory)
 {
 	bool allowed = true;
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index e2f737279dc..b26f0738f09 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -35,6 +35,7 @@
 #include "libcli/smb/smb_constants.h"
 #include "libds/common/roles.h"
 #include "source4/lib/tls/tls.h"
+#include "auth/credentials/credentials.h"
 
 #ifndef N_
 #define N_(x) x
@@ -161,6 +162,17 @@ static const struct enum_list enum_smb_encryption_vals[] = {
 	{-1, NULL}
 };
 
+static const struct enum_list enum_use_kerberos_vals[] = {
+	{CRED_USE_KERBEROS_DESIRED, "desired"},
+	{CRED_USE_KERBEROS_DESIRED, "auto"},
+	{CRED_USE_KERBEROS_REQUIRED, "yes"},
+	{CRED_USE_KERBEROS_REQUIRED, "required"},
+	{CRED_USE_KERBEROS_DISABLED, "no"},
+	{CRED_USE_KERBEROS_DISABLED, "disabled"},
+	{CRED_USE_KERBEROS_DISABLED, "off"},
+	{-1, NULL}
+};
+
 static const struct enum_list enum_mdns_name_values[] = {
 	{MDNS_NAME_NETBIOS, "netbios"},
 	{MDNS_NAME_MDNS, "mdns"},
-- 
cgit v1.2.1