From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 27 Apr 2022 10:32:30 +0000 (+0200)
Subject: s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_kerberos_state()
X-Git-Tag: tdb-1.4.11~782
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f7ab92ea7e01a89d7d9ede115c576fb221374d6a;p=thirdparty%2Fsamba.git

s3:libads: let ads_sasl_spnego_bind() use cli_credentials_get_kerberos_state()

We should only operate on the creds structure and avoid ads->auth.flags

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index 61127d05556..1b4e8471477 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -642,6 +642,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 	NTSTATUS nt_status;
 	ADS_STATUS status;
 	const char *mech = NULL;
+	enum credentials_use_kerberos krb5_state;
 
 	status = ads_generate_service_principal(ads, &p);
 	if (!ADS_ERR_OK(status)) {
@@ -654,8 +655,10 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 		goto done;
 	}
 
+	krb5_state = cli_credentials_get_kerberos_state(creds);
+
 #ifdef HAVE_KRB5
-	if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
+	if (krb5_state != CRED_USE_KERBEROS_DISABLED &&
 	    !is_ipaddress(p.hostname))
 	{
 		mech = "KRB5";
@@ -718,7 +721,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 	   library for HMAC_MD4 encryption */
 	mech = "NTLMSSP";
 
-	if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
+	if (krb5_state == CRED_USE_KERBEROS_REQUIRED) {
 		DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n");
 		status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
 		goto done;