Change Samba to always use extended security for it's guest logins, (ie,

NTLMSSP with "" username, NULL password), and add --machine-pass (-P) to
all of Samba's clients.

When connecting to an Active Directory DC, you must initiate the CIFS level
session setup with Kerberos, not a guest login.  If you don't, your machine
account is demoted to NT4.

Andrew Bartlett
(This used to be commit 3547cb3def45a90f99f67829a533eac1ccba5e77)

1 files changed, 5 insertions, 7 deletions

diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 3fe6d6457a..a18852a691 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -369,29 +369,27 @@ failed:
 
  BOOL get_krb5_smb_session_key(krb5_context context, krb5_auth_context auth_context, uint8 session_key[16], BOOL remote)
  {
-#ifdef ENCTYPE_ARCFOUR_HMAC
 	krb5_keyblock *skey;
 	krb5_error_code err;
-#endif
 	BOOL ret = False;
 
 	memset(session_key, 0, 16);
 
-#ifdef ENCTYPE_ARCFOUR_HMAC
 	if (remote)
 		err = krb5_auth_con_getremotesubkey(context, auth_context, &skey);
 	else
 		err = krb5_auth_con_getlocalsubkey(context, auth_context, &skey);
 	if (err == 0 && skey != NULL) {
-		if (KRB5_KEY_TYPE(skey) ==
-		    ENCTYPE_ARCFOUR_HMAC
-		    && KRB5_KEY_LENGTH(skey) == 16) {
+		DEBUG(10, ("Got KRB5 session key of length %d\n",  KRB5_KEY_LENGTH(skey)));
+		if (KRB5_KEY_LENGTH(skey) == 16) {
 			memcpy(session_key, KRB5_KEY_DATA(skey), KRB5_KEY_LENGTH(skey));
+			dump_data_pw("KRB5 Session Key:\n", session_key, 16);
 			ret = True;
 		}
 		krb5_free_keyblock(context, skey);
+	} else {
+		DEBUG(10, ("KRB5 error getting session key %d\n", err));
 	}
-#endif /* ENCTYPE_ARCFOUR_HMAC */
 
 	return ret;
  }