diff options
author | Pavel Filipenský <pfilipen@redhat.com> | 2022-01-21 12:01:33 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-01-22 00:27:52 +0000 |
commit | fa5413b63c8f4a20ab5b803f5cc523e0658eefc9 (patch) | |
tree | 5b1767e8dc6aa98705d40b654e2ac2838814c121 | |
parent | f03abaec2abbd22b9dc83ce4a103b1b3a2912d96 (diff) | |
download | samba-fa5413b63c8f4a20ab5b803f5cc523e0658eefc9.tar.gz |
s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184
-rw-r--r-- | source3/libnet/libnet_join.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 00d71b97f2a..5069e7546ef 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, ADS_STATUS status; ADS_STRUCT *my_ads = NULL; char *cp; + enum credentials_use_kerberos krb5_state; my_ads = ads_init(dns_domain_name, netbios_domain_name, @@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, return ADS_ERROR_LDAP(LDAP_NO_MEMORY); } - my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; + /* In FIPS mode, client use kerberos is forced to required. */ + krb5_state = lp_client_use_kerberos(); + switch (krb5_state) { + case CRED_USE_KERBEROS_REQUIRED: + my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; + my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; + break; + case CRED_USE_KERBEROS_DESIRED: + my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; + my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; + break; + case CRED_USE_KERBEROS_DISABLED: + my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; + my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; + break; + } if (user_name) { SAFE_FREE(my_ads->auth.user_name); |