s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 00d71b97f2a273427055d924f1c4eeaddd845559..5069e7546efd8d23c3211727dc1f94714a4dad06 100644 (file)
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
        ADS_STATUS status;
        ADS_STRUCT *my_ads = NULL;
        char *cp;
+       enum credentials_use_kerberos krb5_state;
 
        my_ads = ads_init(dns_domain_name,
                          netbios_domain_name,
@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
                return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
        }
 
-       my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+       /* In FIPS mode, client use kerberos is forced to required. */
+       krb5_state = lp_client_use_kerberos();
+       switch (krb5_state) {
+       case CRED_USE_KERBEROS_REQUIRED:
+               my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+               my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+               break;
+       case CRED_USE_KERBEROS_DESIRED:
+               my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+               my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+               break;
+       case CRED_USE_KERBEROS_DISABLED:
+               my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+               my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+               break;
+       }
 
        if (user_name) {
                SAFE_FREE(my_ads->auth.user_name);