libcli/auth: add netlogon_creds_cli_use_kerberos() helper

This allows the calling code to decide if a krb5 or anonymous
netlogon connection should be tried.

Currently we don't try ServerAuthenticateKerberos, but that will change
in a few commits. But before we need to prepare the callers...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 2ac5eefc6e7b8690cb2e2cf1138e6b75be80bbe6..c336cfce539895784c4b4d59e7743cd665d42849 100644 (file)
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -598,6 +598,24 @@ char *netlogon_creds_cli_debug_string(
                               context->db.key_name);
 }
 
+void netlogon_creds_cli_use_kerberos(
+               struct netlogon_creds_cli_context *context,
+               bool *client_use_krb5_netlogon,
+               bool *reject_aes_servers)
+{
+       *client_use_krb5_netlogon = false;
+       *reject_aes_servers = false;
+
+       if (context->client.required_flags & NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH) {
+               *client_use_krb5_netlogon = true;
+               *reject_aes_servers = true;
+       }
+
+       if (context->client.proposed_flags & NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH) {
+               *client_use_krb5_netlogon = true;
+       }
+}
+
 enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
                struct netlogon_creds_cli_context *context)
 {

diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
index 600242e1aea78cc3a9ab902ddec988ab7e44ebe1..136760edaebfe72b3707d9ba45adb14a04151eab 100644 (file)
--- a/libcli/auth/netlogon_creds_cli.h
+++ b/libcli/auth/netlogon_creds_cli.h
@@ -54,6 +54,11 @@ char *netlogon_creds_cli_debug_string(
                const struct netlogon_creds_cli_context *context,
                TALLOC_CTX *mem_ctx);
 
+void netlogon_creds_cli_use_kerberos(
+               struct netlogon_creds_cli_context *context,
+               bool *client_use_krb5_netlogon,
+               bool *reject_aes_servers);
+
 enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
                struct netlogon_creds_cli_context *context);