From: Stefan Metzmacher Date: Wed, 17 Dec 2014 18:42:55 +0000 (+0000) Subject: auth/gensec: make sure we keep a DCERPC_AUTH_TYPE_SCHANNEL backend if required X-Git-Url: http://git.samba.org/?p=obnox%2Fsamba%2Fsamba-obnox.git;a=commitdiff_plain;h=6ec32d7e127d48c708a53850ad99079fac0dad8e auth/gensec: make sure we keep a DCERPC_AUTH_TYPE_SCHANNEL backend if required Even with CRED_MUST_USE_KERBEROS we should keep the DCERPC_AUTH_TYPE_SCHANNEL backend arround, this can only be specified explicitely by the caller and cli_credentials_get_netlogon_creds() != NULL is the strong indication that the caller is using DCERPC_AUTH_TYPE_SCHANNEL *now*. With trusts against AD domain we can reliable use kerberos and netlogon secure channel for authentication. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c index 9910f1a1917..955cc36f4cb 100644 --- a/auth/gensec/gensec_start.c +++ b/auth/gensec/gensec_start.c @@ -75,9 +75,13 @@ _PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX const struct gensec_security_ops **new_gensec_list; int i, j, num_mechs_in; enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS; + bool keep_schannel = false; if (creds) { use_kerberos = cli_credentials_get_kerberos_state(creds); + if (cli_credentials_get_netlogon_creds(creds) != NULL) { + keep_schannel = true; + } } for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) { @@ -103,6 +107,10 @@ _PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX } } + if (old_gensec_list[i]->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + keep = keep_schannel; + } + switch (use_kerberos) { case CRED_AUTO_USE_KERBEROS: keep = true;