Trust accounts can only use kerberos when contacting other AD domains,
using NTLMSSP will fail.
At the same time it doesn't make sense to try kerberos for NT4 domains,
still NTLMSSP will fail, but the callers has to deal with that
case and just fallback to an anonymous SMB connection.
In all cases we should be able to use NETLOGON SCHANNEL
over any anonymous smb or tcp transport.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12598
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
d961ae9d14b46708d2693ca91ace04f9f1a53ca2)
status = NT_STATUS_NO_MEMORY;
goto fail;
}
+
+ /*
+ * It's not possible to use NTLMSSP with a domain trust account.
+ */
+ cli_credentials_set_kerberos_state(creds, CRED_MUST_USE_KERBEROS);
+ } else {
+ /*
+ * We can't use kerberos against an NT4 domain.
+ *
+ * We should have a mode that also disallows NTLMSSP here,
+ * as only NETLOGON SCHANNEL is possible.
+ */
+ cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
}
ok = cli_credentials_set_username(creds, account_name, CRED_SPECIFIED);
status = NT_STATUS_NO_MEMORY;
goto fail;
}
+ /*
+ * We currently can't do kerberos just with an NTHASH.
+ */
+ cli_credentials_set_kerberos_state(creds, CRED_DONT_USE_KERBEROS);
goto done;
}
projects / thirdparty / samba.git / commitdiff
