r13206: This patch finally re-adds a -k option that works reasonably.

From here we can add tests to Samba for kerberos, forcing it on and
off.  In the process, I also remove the dependency of credentials on
GENSEC.

This also picks up on the idea of bringing 'set_boolean' into general
code from jpeach's cifsdd patch.

Andrew Bartlett
(This used to be commit 1ac7976ea6e3ad6184c911de5df624c44e7c5228)

5 files changed, 30 insertions, 87 deletions

diff --git a/source4/auth/credentials/config.mk b/source4/auth/credentials/config.mk
index 5c72630d5a..96c48f7574 100644
--- a/source4/auth/credentials/config.mk
+++ b/source4/auth/credentials/config.mk
@@ -5,10 +5,9 @@ PRIVATE_PROTO_HEADER = credentials_proto.h
 OBJ_FILES = credentials.o \
 		credentials_files.o \
 		credentials_krb5.o \
-		credentials_ntlm.o \
-		credentials_gensec.o 
+		credentials_ntlm.o
 REQUIRED_SUBSYSTEMS = \
-		HEIMDAL GENSEC LIBCLI_AUTH LIBLDB SECRETS
+		HEIMDAL LIBCLI_AUTH LIBLDB SECRETS
 # End SUBSYSTEM CREDENTIALS
 #################################
 
diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c
index a6bfb15dec..b1554cc9ef 100644
--- a/source4/auth/credentials/credentials.c
+++ b/source4/auth/credentials/credentials.c
@@ -24,7 +24,7 @@
 
 #include "includes.h"
 #include "librpc/gen_ndr/ndr_samr.h" /* for struct samrPassword */
-
+#include "auth/gensec/gensec.h"
 
 /**
  * Create a new credentials structure
@@ -54,13 +54,26 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
 	cred->smb_krb5_context = NULL;
 	cred->salt_principal = NULL;
 	cred->machine_account = False;
-	cred->gensec_list = NULL;
 
 	cred->bind_dn = NULL;
 
+	cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS);
+
 	return cred;
 }
 
+void cli_credentials_set_kerberos_state(struct cli_credentials *creds, 
+					enum credentials_use_kerberos use_kerberos)
+{
+	creds->use_kerberos = use_kerberos;
+}
+
+enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds)
+{
+	return creds->use_kerberos;
+}
+
+
 /**
  * Obtain the username for this credentials context.
  * @param cred credentials context
diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h
index 8402676acd..eb4e5c96d0 100644
--- a/source4/auth/credentials/credentials.h
+++ b/source4/auth/credentials/credentials.h
@@ -32,15 +32,19 @@ enum credentials_obtained {
 	CRED_SPECIFIED		 /* Was explicitly specified on the command-line */
 };
 
+enum credentials_use_kerberos {
+	CRED_AUTO_USE_KERBEROS = 0, /* Default, we try kerberos if available */
+	CRED_DONT_USE_KERBEROS,     /* Sometimes trying kerberos just does 'bad things', so don't */
+	CRED_MUST_USE_KERBEROS      /* Sometimes administrators are parinoid, so always do kerberos */
+};
+
 #define CLI_CRED_NTLM2       0x01
 #define CLI_CRED_NTLMv2_AUTH 0x02
 #define CLI_CRED_LANMAN_AUTH 0x04
 #define CLI_CRED_NTLM_AUTH   0x08
+#define CLI_CRED_CLEAR_AUTH  0x10   /* TODO:  Push cleartext auth with this flag */
 
 struct cli_credentials {
-	/* Preferred methods, NULL means default */
-	const char **preferred_methods;
-
 	enum credentials_obtained workstation_obtained;
 	enum credentials_obtained username_obtained;
 	enum credentials_obtained password_obtained;
@@ -94,8 +98,8 @@ struct cli_credentials {
 	/* Is this a machine account? */
 	BOOL machine_account;
 
-	/* A list of valid GENSEC mechanisms for use on this account */
-	const struct gensec_security_ops **gensec_list;
+	/* Should we be trying to use kerberos? */
+	enum credentials_use_kerberos use_kerberos;
 };
 
 #include "auth/credentials/credentials_proto.h"
diff --git a/source4/auth/credentials/credentials_gensec.c b/source4/auth/credentials/credentials_gensec.c
deleted file mode 100644
index 7ea15e7988..0000000000
--- a/source4/auth/credentials/credentials_gensec.c
+++ /dev/null
@@ -1,77 +0,0 @@
-/* 
-   Unix SMB/CIFS implementation.
-
-   User credentials handling
-
-   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
-   
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
-   (at your option) any later version.
-   
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-   
-   You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*/
-
-#include "includes.h"
-#include "auth/gensec/gensec.h"
-
-const struct gensec_security_ops **cli_credentials_gensec_list(struct cli_credentials *creds) 
-{
-	if (!creds || !creds->gensec_list) {
-		return gensec_security_all();
-	}
-	return creds->gensec_list;
-}
-
-static NTSTATUS cli_credentials_gensec_remove_mech(struct cli_credentials *creds,
-						   const struct gensec_security_ops *remove_mech) 
-{
-	const struct gensec_security_ops **gensec_list;
-	const struct gensec_security_ops **new_gensec_list;
-	int i, j;
-
-	gensec_list = cli_credentials_gensec_list(creds);
-
-	for (i=0; gensec_list && gensec_list[i]; i++) {
-		/* noop */
-	}
-
-	new_gensec_list = talloc_array(creds, const struct gensec_security_ops *, i + 1);
-	if (!new_gensec_list) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	j = 0;
-	for (i=0; gensec_list && gensec_list[i]; i++) {
-		if (gensec_list[i] != remove_mech) {
-			new_gensec_list[j] = gensec_list[i];
-			j++;
-		}
-	}
-	new_gensec_list[j] = NULL; 
-	
-	creds->gensec_list = new_gensec_list;
-
-	return NT_STATUS_OK;
-}
-
-NTSTATUS cli_credentials_gensec_remove_oid(struct cli_credentials *creds,
-					   const char *oid) 
-{
-	const struct gensec_security_ops *gensec_by_oid;
-
-	gensec_by_oid = gensec_security_by_oid(NULL, oid);
-	if (!gensec_by_oid) {
-		return NT_STATUS_OK;
-	}
-
-	return cli_credentials_gensec_remove_mech(creds, gensec_by_oid);
-}
diff --git a/source4/auth/credentials/credentials_ntlm.c b/source4/auth/credentials/credentials_ntlm.c
index c7932e6f1a..5068540a32 100644
--- a/source4/auth/credentials/credentials_ntlm.c
+++ b/source4/auth/credentials/credentials_ntlm.c
@@ -66,6 +66,10 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_
 	if (cred->machine_account) {
 		*flags = *flags & ~CLI_CRED_LANMAN_AUTH;
 	}
+	
+	if (cred->use_kerberos == CRED_MUST_USE_KERBEROS) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
 
 	if (!nt_hash) {
 		static const uint8_t zeros[16];