diff options
author | Pavel Filipenský <pfilipen@redhat.com> | 2021-12-10 16:08:04 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-01-21 23:33:36 +0000 |
commit | afcdb090769f6f0f66428cd29f88b0283c6bd527 (patch) | |
tree | 910db90efc8301fee11835ab8c5e0cb69c052bd3 /source3/utils | |
parent | 6843bdae306292a781636b4d295ed8d04ae59e07 (diff) | |
download | samba-afcdb090769f6f0f66428cd29f88b0283c6bd527.tar.gz |
s3:utils: set ads->auth.flags using krb5_state
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source3/utils')
-rw-r--r-- | source3/utils/net_ads.c | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 2a793139be0..d1fc3289184 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -601,6 +601,8 @@ static ADS_STATUS ads_startup_int(struct net_context *c, bool only_own_domain, char *cp; const char *realm = NULL; bool tried_closest_dc = false; + enum credentials_use_kerberos krb5_state = + CRED_USE_KERBEROS_DISABLED; /* lp_realm() should be handled by a command line param, However, the join requires that realm be set in smb.conf @@ -644,10 +646,28 @@ retry: ads->auth.password = smb_xstrdup(c->opt_password); } - ads->auth.flags |= auth_flags; SAFE_FREE(ads->auth.user_name); ads->auth.user_name = smb_xstrdup(c->opt_user_name); + ads->auth.flags |= auth_flags; + + /* The ADS code will handle FIPS mode */ + krb5_state = cli_credentials_get_kerberos_state(c->creds); + switch (krb5_state) { + case CRED_USE_KERBEROS_REQUIRED: + ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; + ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; + break; + case CRED_USE_KERBEROS_DESIRED: + ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; + ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; + break; + case CRED_USE_KERBEROS_DISABLED: + ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; + ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; + break; + } + /* * If the username is of the form "name@realm", * extract the realm and convert to upper case. |