From: David Mulder <dmulder@suse.com>
Date: Mon, 4 Apr 2022 16:33:15 +0000 (-0600)
Subject: gpo: Certificate Auto Enrollment default Kerberos auth
X-Git-Tag: tevent-0.12.0~172
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=157d2dd77fd92b926350df0def6a3aa6edf823f2;p=thirdparty%2Fsamba.git

gpo: Certificate Auto Enrollment default Kerberos auth

Certificate Auto Enrollment uses Kerberos to
authenticate to AD. If someone configures their
cepces.conf to use a different default
authentication, then samba-gpupdate fails. Force
Kerberos auth from samba-gpupdate.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/python/samba/gp_cert_auto_enroll_ext.py b/python/samba/gp_cert_auto_enroll_ext.py
index b61aaf7b985..061d2c06c20 100644
--- a/python/samba/gp_cert_auto_enroll_ext.py
+++ b/python/samba/gp_cert_auto_enroll_ext.py
@@ -82,8 +82,8 @@ def get_supported_templates(server):
     if os.path.exists(cepces_submit):
         env = os.environ
         env['CERTMONGER_OPERATION'] = 'GET-SUPPORTED-TEMPLATES'
-        p = Popen([cepces_submit, '--server=%s' % server], env=env,
-                       stdout=PIPE, stderr=PIPE)
+        p = Popen([cepces_submit, '--server=%s' % server, '--auth=Kerberos'],
+                       env=env, stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         if p.returncode != 0:
             log.warn('Failed to fetch the list of supported templates.')
@@ -136,7 +136,8 @@ def cert_enroll(ca, trust_dir, private_dir):
     cepces_submit = find_cepces_submit()
     if getcert is not None and os.path.exists(cepces_submit):
         p = Popen([getcert, 'add-ca', '-c', ca['cn'][0], '-e',
-                  '%s --server=%s' % (cepces_submit, ca['dNSHostName'][0])],
+                  '%s --server=%s --auth=Kerberos' % (cepces_submit,
+                  ca['dNSHostName'][0])],
                   stdout=PIPE, stderr=PIPE)
         out, err = p.communicate()
         log.debug(out.decode())
diff --git a/python/samba/tests/bin/cepces-submit b/python/samba/tests/bin/cepces-submit
index 1f9d57c6bfb..668682a9f58 100755
--- a/python/samba/tests/bin/cepces-submit
+++ b/python/samba/tests/bin/cepces-submit
@@ -7,9 +7,11 @@ sys.path.insert(0, "bin/python")
 if __name__ == "__main__":
     parser = optparse.OptionParser('cepces-submit [options]')
     parser.add_option('--server')
+    parser.add_option('--auth')
 
     (opts, args) = parser.parse_args()
     assert opts.server is not None
+    assert opts.auth == 'Kerberos'
     if 'CERTMONGER_OPERATION' in os.environ and \
        os.environ['CERTMONGER_OPERATION'] == 'GET-SUPPORTED-TEMPLATES':
         print('Machine') # Report a Machine template