gpo: Certificate Auto Enrollment default Kerberos auth

Certificate Auto Enrollment uses Kerberos to
authenticate to AD. If someone configures their
cepces.conf to use a different default
authentication, then samba-gpupdate fails. Force
Kerberos auth from samba-gpupdate.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/python/samba/gp_cert_auto_enroll_ext.py b/python/samba/gp_cert_auto_enroll_ext.py
index b61aaf7b985857ae8b2daf3fcf4b43b35d2fad99..061d2c06c20470bdcfac89798abe1e23adf78e2e 100644 (file)
--- a/python/samba/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp_cert_auto_enroll_ext.py
@@ -82,8 +82,8 @@ def get_supported_templates(server):
     if os.path.exists(cepces_submit):
         env = os.environ
         env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES'
-        p = Popen([cepces_submit, '--server=%s' % server], env=env,
-                       stdout=PIPE, stderr=PIPE)
+        p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'],
+                       env=env, stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         if p.returncode != 0:
             log.warn('Failed to fetch the list of supported templates.')
@@ -136,7 +136,8 @@ def cert_enroll(ca, trust_dir, private_dir):
     cepces_submit = find_cepces_submit()
     if getcert is not None and os.path.exists(cepces_submit):
         p = Popen([getcert, 'add-ca', '-c', ca['cn'][0], '-e',
-                  '%s --server=%s' % (cepces_submit, ca['dNSHostName'][0])],
+                  '%s --server=%s --auth=Kerberos' % (cepces_submit,
+                  ca['dNSHostName'][0])],
                   stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         log.debug(out.decode())

diff --git a/python/samba/tests/bin/cepces-submit b/python/samba/tests/bin/cepces-submit
index 1f9d57c6bfb3523543c3e48801f5a44001823aa4..668682a9f586e70aff49a2ad85dbad14856039a4 100755 (executable)
--- a/python/samba/tests/bin/cepces-submit
+++ b/python/samba/tests/bin/cepces-submit
@@ -7,9 +7,11 @@ sys.path.insert(0, "bin/python")
 if __name__ == "__main__":
     parser = optparse.OptionParser('cepces-submit [options]')
     parser.add_option('--server')
+    parser.add_option('--auth')
 
     (opts, args) = parser.parse_args()
     assert opts.server is not None
+    assert opts.auth == 'Kerberos'
     if 'CERTMONGER_OPERATION' in os.environ and \
        os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES':
         print('Machine') # Report a Machine template