return creds->krb_forwardable;
}
-_PUBLIC_ void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features)
+_PUBLIC_ bool cli_credentials_set_gensec_features(struct cli_credentials *creds,
+ uint32_t gensec_features,
+ enum credentials_obtained obtained)
{
- creds->gensec_features = gensec_features;
+ if (obtained >= creds->gensec_features_obtained) {
+ creds->gensec_features_obtained = obtained;
+ creds->gensec_features = gensec_features;
+
+ return true;
+ }
+
+ return false;
}
_PUBLIC_ uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds)
break;
}
}
-
- cred->encryption_state_obtained = CRED_SMB_CONF;
}
if (cred->kerberos_state_obtained <= CRED_SMB_CONF) {
cred->kerberos_state = lpcfg_client_use_kerberos(lp_ctx);
cred->kerberos_state_obtained = CRED_SMB_CONF;
}
+
+ if (cred->gensec_features_obtained <= CRED_SMB_CONF) {
+ switch (protection) {
+ case CRED_CLIENT_PROTECTION_DEFAULT:
+ break;
+ case CRED_CLIENT_PROTECTION_PLAIN:
+ cred->gensec_features = 0;
+ break;
+ case CRED_CLIENT_PROTECTION_SIGN:
+ cred->gensec_features = GENSEC_FEATURE_SIGN;
+ break;
+ case CRED_CLIENT_PROTECTION_ENCRYPT:
+ cred->gensec_features =
+ GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL;
+ break;
+ }
+ cred->gensec_features_obtained = CRED_SMB_CONF;
+ }
}
/**
struct loadparm_context *lp_ctx,
const char *keytab_name,
enum credentials_obtained obtained);
-void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features);
+bool cli_credentials_set_gensec_features(struct cli_credentials *creds,
+ uint32_t gensec_features,
+ enum credentials_obtained obtained);
uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds);
int cli_credentials_set_ccache(struct cli_credentials *cred,
struct loadparm_context *lp_ctx,
enum credentials_obtained ipc_signing_state_obtained;
enum credentials_obtained encryption_state_obtained;
enum credentials_obtained kerberos_state_obtained;
+ enum credentials_obtained gensec_features_obtained;
/* Threshold values (essentially a MAX() over a number of the
* above) for the ccache and GSS credentials, to ensure we
if (!PyArg_ParseTuple(args, "I", &gensec_features))
return NULL;
- cli_credentials_set_gensec_features(creds, gensec_features);
+ cli_credentials_set_gensec_features(creds,
+ gensec_features,
+ CRED_SPECIFIED);
Py_RETURN_NONE;
}
gensec_features = cli_credentials_get_gensec_features(ctx->creds);
gensec_features |= GENSEC_FEATURE_NTLM_CCACHE;
- cli_credentials_set_gensec_features(ctx->creds, gensec_features);
+ cli_credentials_set_gensec_features(ctx->creds,
+ gensec_features,
+ CRED_SPECIFIED);
return NET_API_STATUS_SUCCESS;
}
gensec_features = cli_credentials_get_gensec_features(auth_info->creds);
gensec_features |= GENSEC_FEATURE_NTLM_CCACHE;
- cli_credentials_set_gensec_features(auth_info->creds, gensec_features);
+ cli_credentials_set_gensec_features(auth_info->creds,
+ gensec_features,
+ CRED_SPECIFIED);
}
bool get_cmdline_auth_info_use_ccache(const struct user_auth_info *auth_info)
features = cli_credentials_get_gensec_features(creds);
features |= GENSEC_FEATURE_NTLM_CCACHE;
- cli_credentials_set_gensec_features(creds, features);
+ cli_credentials_set_gensec_features(creds,
+ features,
+ CRED_SPECIFIED);
if (password != NULL && strlen(password) == 0) {
/*
features = cli_credentials_get_gensec_features(creds);
features |= GENSEC_FEATURE_NTLM_CCACHE;
- cli_credentials_set_gensec_features(creds, features);
+ cli_credentials_set_gensec_features(creds,
+ features,
+ CRED_SPECIFIED);
if (c->opt_password != NULL && strlen(c->opt_password) == 0) {
/*
gensec_features |= GENSEC_FEATURE_SIGN;
cli_credentials_set_gensec_features(
popt_get_cmdline_credentials(),
- gensec_features);
+ gensec_features,
+ CRED_SPECIFIED);
break;
}
case OPT_ENCRYPT:
gensec_features |= GENSEC_FEATURE_SEAL;
cli_credentials_set_gensec_features(
popt_get_cmdline_credentials(),
- gensec_features);
+ gensec_features,
+ CRED_SPECIFIED);
break;
}
}
old_gensec_features = cli_credentials_get_gensec_features(creds);
if (wrap_flags == 0) {
- cli_credentials_set_gensec_features(creds, old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL));
+ cli_credentials_set_gensec_features(creds,
+ old_gensec_features & ~(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL),
+ CRED_SPECIFIED);
}
/* this call also sets the gensec_want_features */
/* reset the original gensec_features (on the credentials
* context, so we don't tatoo it ) */
- cli_credentials_set_gensec_features(creds, old_gensec_features);
+ cli_credentials_set_gensec_features(creds,
+ old_gensec_features,
+ CRED_SPECIFIED);
if (wrap_flags & ADS_AUTH_SASL_SEAL) {
gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
projects / thirdparty / samba.git / commitdiff
