From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 7 Nov 2024 12:25:37 +0000 (+0100)
Subject: docs-xml/smbdotconf: add "client use krb5 netlogon" option
X-Git-Tag: tdb-1.4.13~182
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=41b46cdff19f5ccc67017189b85592035df4a623;p=thirdparty%2Fsamba.git

docs-xml/smbdotconf: add "client use krb5 netlogon" option

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
---

diff --git a/docs-xml/smbdotconf/winbind/clientusekrb5netlogon.xml b/docs-xml/smbdotconf/winbind/clientusekrb5netlogon.xml
new file mode 100644
index 00000000000..ad0fc907903
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/clientusekrb5netlogon.xml
@@ -0,0 +1,48 @@
+<samba:parameter name="client use krb5 netlogon"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_bool_auto_default"
+                 function="_client_use_krb5_netlogon"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para><emphasis>This option is experimental for now!</emphasis>
+	</para>
+
+	<para>This option controls whether winbindd (and other client tools)
+	try to use ServerAuthenticateKerberos for the netlogon secure channel.</para>
+
+	<para>The behavior can be controlled per netbios domain
+	by using 'client use krb5 netlogon:NETBIOSDOMAIN = yes|no' as option.</para>
+
+	<para>This option is over-ridden by the <smbconfoption name="reject aes netlogon servers"/> option (if it is effectively on)
+	and lets <smbconfoption name="client use krb5 netlogon"/> be yes as well.</para>
+
+	<para>
+	The 'default' currently maps to 'no'.
+	</para>
+
+	<para>
+	A meaning of 'auto' depends on the used kerberos library
+	and the trust/domain type.
+	</para>
+
+	<para>
+	If samba was compiled using '--without-ads' or
+	'--with-system-heimdalkrb5' it is not possible to
+	activate the ServerAuthenticateKerberos feature,
+	as the krb5_init_creds_step() function is not available.
+	This forces 'auto' to behave as 'no'.
+	</para>
+
+	<para>
+	The value of 'auto' maps to 'yes' if the domain
+	is detected as active directory domain, e.g.
+	with 'SECURITY = ADS' or on an active directory domain controller.
+	</para>
+</description>
+
+<value type="default">default</value>
+<value type="example">no</value>
+<value type="example">auto</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml b/docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml
index 202f00ce202..6810bed2896 100644
--- a/docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml
+++ b/docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml
@@ -23,6 +23,7 @@
 	by using 'reject aes netlogon servers:NETBIOSDOMAIN = no' as option.</para>
 
 	<para>This option overrides the <smbconfoption name="reject md5 servers"/> option.</para>
+	<para>This option overrides the <smbconfoption name="client use krb5 netlogon"/> option (if it is effectively off).</para>
 </description>
 
 <value type="default">no</value>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index aecde4ab8bd..7d7c7493eb2 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2932,6 +2932,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "client schannel", "True");
 
+	lpcfg_do_global_parameter(lp_ctx, "client use krb5 netlogon", "default");
+
 	lpcfg_do_global_parameter(lp_ctx, "smb encrypt", "default");
 
 	lpcfg_do_global_parameter(lp_ctx, "max log size", "5000");
@@ -3681,6 +3683,17 @@ bool lpcfg_server_signing_allowed(struct loadparm_context *lp_ctx, bool *mandato
 	return allowed;
 }
 
+int lpcfg_client_use_krb5_netlogon(struct loadparm_context *lp_ctx)
+{
+	int val = lpcfg__client_use_krb5_netlogon(lp_ctx);
+
+	if (val == LP_ENUM_Default) {
+		val = false;
+	}
+
+	return val;
+}
+
 int lpcfg_tdb_hash_size(struct loadparm_context *lp_ctx, const char *name)
 {
 	const char *base;
diff --git a/lib/param/param.h b/lib/param/param.h
index aed48c1660c..02a21280d80 100644
--- a/lib/param/param.h
+++ b/lib/param/param.h
@@ -41,6 +41,7 @@ struct param_context;
 struct smbsrv_connection;
 
 #define Auto (2)
+#define LP_ENUM_Default (-2)
 
 struct loadparm_context;
 struct loadparm_service;
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index f2a5a7ec40d..0283569882a 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -91,6 +91,18 @@ static const struct enum_list enum_bool_auto[] = {
 	{-1, NULL}
 };
 
+static const struct enum_list enum_bool_auto_default[] = {
+	{false, "No"},
+	{false, "False"},
+	{false, "0"},
+	{true, "Yes"},
+	{true, "True"},
+	{true, "1"},
+	{Auto, "Auto"},
+	{LP_ENUM_Default, "default"},
+	{-1, NULL}
+};
+
 static const struct enum_list enum_csc_policy[] = {
 	{CSC_POLICY_MANUAL, "manual"},
 	{CSC_POLICY_DOCUMENTS, "documents"},
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 3710c8bd719..71a40e55d7c 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -670,6 +670,7 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx,
 	Globals.winbind_sealed_pipes = true;
 	Globals.require_strong_key = true;
 	Globals.reject_md5_servers = true;
+	Globals._client_use_krb5_netlogon = LP_ENUM_Default;
 	Globals.server_schannel = true;
 	Globals.server_schannel_require_seal = true;
 	Globals.reject_md5_clients = true;