From fa5413b63c8f4a20ab5b803f5cc523e0658eefc9 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Pavel=20Filipensk=C3=BD?= Date: Fri, 21 Jan 2022 12:01:33 +0100 Subject: [PATCH] s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Pair-Programmed-With: Andreas Schneider Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184 --- source3/libnet/libnet_join.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 00d71b97f2a..5069e7546ef 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, ADS_STATUS status; ADS_STRUCT *my_ads = NULL; char *cp; + enum credentials_use_kerberos krb5_state; my_ads = ads_init(dns_domain_name, netbios_domain_name, @@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name, return ADS_ERROR_LDAP(LDAP_NO_MEMORY); } - my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; + /* In FIPS mode, client use kerberos is forced to required. */ + krb5_state = lp_client_use_kerberos(); + switch (krb5_state) { + case CRED_USE_KERBEROS_REQUIRED: + my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; + my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; + break; + case CRED_USE_KERBEROS_DESIRED: + my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; + my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; + break; + case CRED_USE_KERBEROS_DISABLED: + my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; + my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; + break; + } if (user_name) { SAFE_FREE(my_ads->auth.user_name); -- 2.47.3