auth/gensec: make sure we keep a DCERPC_AUTH_TYPE_SCHANNEL backend if required

Even with CRED_MUST_USE_KERBEROS we should keep the DCERPC_AUTH_TYPE_SCHANNEL
backend arround, this can only be specified explicitely by the caller
and cli_credentials_get_netlogon_creds() != NULL is the strong indication
that the caller is using DCERPC_AUTH_TYPE_SCHANNEL *now*.

With trusts against AD domain we can reliable use kerberos and netlogon
secure channel for authentication.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 9910f1a1917ba004ea4536b1d31dd5ad787b31a8..955cc36f4cb37ab2653bfcdba8fe9d46379677b9 100644 (file)
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -75,9 +75,13 @@ _PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX
        const struct gensec_security_ops **new_gensec_list;
        int i, j, num_mechs_in;
        enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
+       bool keep_schannel = false;
 
        if (creds) {
                use_kerberos = cli_credentials_get_kerberos_state(creds);
+               if (cli_credentials_get_netlogon_creds(creds) != NULL) {
+                       keep_schannel = true;
+               }
        }
 
        for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
@@ -103,6 +107,10 @@ _PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX
                        }
                }
 
+               if (old_gensec_list[i]->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+                       keep = keep_schannel;
+               }
+
                switch (use_kerberos) {
                case CRED_AUTO_USE_KERBEROS:
                        keep = true;