auth:gensec: If Kerberos is required, keep schannel for machine account auth

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>

1 files changed, 9 insertions, 0 deletions

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index be199358ffc..4996e13e027 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -170,6 +170,15 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
 			if (cli_credentials_get_netlogon_creds(creds) != NULL) {
 				keep_schannel = true;
 			}
+
+			/*
+			 * Even if Kerberos is set to REQUIRED, keep the
+			 * schannel auth mechanism that machine accounts are
+			 * able to authenticate via netlogon.
+			 */
+			if (gensec_security->gensec_role == GENSEC_SERVER) {
+				keep_schannel = true;
+			}
 		}
 
 		if (gensec_security->settings->backends) {