From f03abaec2abbd22b9dc83ce4a103b1b3a2912d96 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Pavel=20Filipensk=C3=BD?= <pfilipen@redhat.com>
Date: Tue, 18 Jan 2022 19:44:54 +0100
Subject: [PATCH] s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source3/winbindd/winbindd_ads.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index e415df347e6..6f01ef6e334 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -34,6 +34,7 @@
 #include "../libds/common/flag_mapping.h"
 #include "libsmb/samlogon_cache.h"
 #include "passdb.h"
+#include "auth/credentials/credentials.h"
 
 #ifdef HAVE_ADS
 
@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
 	ADS_STATUS status;
 	struct sockaddr_storage dc_ss;
 	fstring dc_name;
+	enum credentials_use_kerberos krb5_state;
 
 	if (auth_realm == NULL) {
 		return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
 	ads->auth.renewable = renewable;
 	ads->auth.password = password;
 
-	ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+	/* In FIPS mode, client use kerberos is forced to required. */
+	krb5_state = lp_client_use_kerberos();
+	switch (krb5_state) {
+	case CRED_USE_KERBEROS_REQUIRED:
+		ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+		ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+		break;
+	case CRED_USE_KERBEROS_DESIRED:
+		ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+		ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+		break;
+	case CRED_USE_KERBEROS_DISABLED:
+		ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+		ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+		break;
+	}
 
 	ads->auth.realm = SMB_STRDUP(auth_realm);
 	if (!strupper_m(ads->auth.realm)) {
-- 
2.47.3