diff options
author | Pavel Filipenský <pfilipen@redhat.com> | 2021-12-09 13:43:08 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-01-21 23:33:36 +0000 |
commit | 7785eb9b78066f6f7ee2541cf72d80fcf7411329 (patch) | |
tree | aca9e16f75e35516819554fa892b5732acc865ca /source3/libads | |
parent | 49d18f2d6e8872c2b0cbe2bf3324e7057c8438f4 (diff) | |
download | samba-7785eb9b78066f6f7ee2541cf72d80fcf7411329.tar.gz |
s3:libads: Disable NTLMSSP for FIPS
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source3/libads')
-rw-r--r-- | source3/libads/sasl.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index b91e2d15bcf..992f7022a69 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed " "for %s/%s with user[%s] realm[%s]: %s, " - "fallback to NTLMSSP\n", + "try to fallback to NTLMSSP\n", p.service, p.hostname, ads->auth.user_name, ads->auth.realm, @@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) to sync clocks, and we don't rely on special versions of the krb5 library for HMAC_MD4 encryption */ mech = "NTLMSSP"; + + if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) { + DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is" + " disallowed.\n"); + status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + goto done; + } + status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO", CRED_USE_KERBEROS_DISABLED, p.service, p.hostname, |