From 4dd2468d5bcd704d8a745f9f3e487e539ae66bbb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 5 Mar 2024 15:33:51 +0100
Subject: [PATCH] s4:gensec_gssapi: make use of gensec_kerberos_possible()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source4/auth/gensec/gensec_gssapi.c | 42 +++++++++--------------------
 1 file changed, 13 insertions(+), 29 deletions(-)

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index e96ee4d7983..997d073d7e1 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -383,41 +383,25 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
 	struct gensec_gssapi_state *gensec_gssapi_state;
 	struct cli_credentials *creds = gensec_get_credentials(gensec_security);
 	NTSTATUS nt_status;
-	const char *target_principal = NULL;
-	const char *hostname = gensec_get_target_hostname(gensec_security);
-	const char *service = gensec_get_target_service(gensec_security);
-	const char *realm = cli_credentials_get_realm(creds);
 
-	target_principal = gensec_get_target_principal(gensec_security);
-	if (target_principal != NULL) {
-		goto do_start;
-	}
+	nt_status = gensec_kerberos_possible(gensec_security);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		char *target_name = NULL;
+		char *cred_name = NULL;
 
-	if (!hostname) {
-		DEBUG(3, ("No hostname for target computer passed in, cannot use kerberos for this connection\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-	if (is_ipaddress(hostname)) {
-		DEBUG(2, ("Cannot do GSSAPI to an IP address\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-	if (strcmp(hostname, "localhost") == 0) {
-		DEBUG(2, ("GSSAPI to 'localhost' does not make sense\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
+		target_name = gensec_get_unparsed_target_principal(gensec_security,
+								   gensec_security);
+		cred_name = cli_credentials_get_unparsed_name(creds,
+							      gensec_security);
+
+		DBG_NOTICE("Not using kerberos to %s as %s: %s\n",
+			   target_name, cred_name, nt_errstr(nt_status));
 
-	if (realm == NULL) {
-		char *cred_name = cli_credentials_get_unparsed_name(creds,
-								gensec_security);
-		DEBUG(3, ("cli_credentials(%s) without realm, "
-			  "cannot use kerberos for this connection %s/%s\n",
-			  cred_name, service, hostname));
+		TALLOC_FREE(target_name);
 		TALLOC_FREE(cred_name);
-		return NT_STATUS_INVALID_PARAMETER;
+		return nt_status;
 	}
 
-do_start:
-
 	nt_status = gensec_gssapi_start(gensec_security);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
-- 
2.47.3