From: Pavel Filipenský <pfilipen@redhat.com>
Date: Thu, 9 Dec 2021 12:43:08 +0000 (+0100)
Subject: s3:libads: Disable NTLMSSP for FIPS
X-Git-Tag: tdb-1.4.6~9
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7785eb9b78066f6f7ee2541cf72d80fcf7411329;p=thirdparty%2Fsamba.git

s3:libads: Disable NTLMSSP for FIPS

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index b91e2d15bcf..992f7022a69 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 
 		DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
 			 "for %s/%s with user[%s] realm[%s]: %s, "
-			 "fallback to NTLMSSP\n",
+			 "try to fallback to NTLMSSP\n",
 			 p.service, p.hostname,
 			 ads->auth.user_name,
 			 ads->auth.realm,
@@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 	   to sync clocks, and we don't rely on special versions of the krb5
 	   library for HMAC_MD4 encryption */
 	mech = "NTLMSSP";
+
+	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
+			    " disallowed.\n");
+		status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+		goto done;
+	}
+
 	status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
 					     CRED_USE_KERBEROS_DISABLED,
 					     p.service, p.hostname,