s3:winbindd: try to use the trust account with kerberos if possible

This trust account is usable for SMB authentication via kerberos,
so we should try that if we think the domain is active directory.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11010

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 8ce286f6b265f00b165549ff9e6779b1cb4d70da..4b01348c8f8dba4c2ffd63ec49e3002fd4b40da9 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -902,10 +902,24 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
        const struct winbindd_domain *creds_domain = NULL;
        struct cli_credentials *creds;
        NTSTATUS status;
+       bool force_machine_account = false;
 
        /* If we are a DC and this is not our own domain */
 
-       if (IS_DC && netlogon) {
+       if (!domain->active_directory) {
+               if (!netlogon) {
+                       /*
+                        * For non active directory domains
+                        * we can only use NTLMSSP for SMB.
+                        *
+                        * But the trust account is not allowed
+                        * to use SMB with NTLMSSP.
+                        */
+                       force_machine_account = true;
+               }
+       }
+
+       if (IS_DC && !force_machine_account) {
                creds_domain = domain;
        } else {
                creds_domain = find_our_domain();
@@ -922,15 +936,13 @@ static NTSTATUS get_trust_credentials(struct winbindd_domain *domain,
                goto ipc_fallback;
        }
 
-       if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) {
-               cli_credentials_set_kerberos_state(creds,
-                                                  CRED_MUST_USE_KERBEROS);
-       }
-
        if (domain->primary && lp_security() == SEC_ADS) {
                cli_credentials_set_kerberos_state(creds,
                                                   CRED_AUTO_USE_KERBEROS);
-       } else if (!domain->active_directory) {
+       } else if (domain->active_directory) {
+               cli_credentials_set_kerberos_state(creds,
+                                                  CRED_MUST_USE_KERBEROS);
+       } else {
                cli_credentials_set_kerberos_state(creds,
                                                   CRED_DONT_USE_KERBEROS);
        }