]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
s3:libads: Disable NTLMSSP if not allowed (for builds without kerberos)
authorPavel Filipenský <pfilipen@redhat.com>
Mon, 3 Jan 2022 10:13:06 +0000 (11:13 +0100)
committerStefan Metzmacher <metze@samba.org>
Fri, 21 Jan 2022 23:33:36 +0000 (23:33 +0000)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
source3/libads/sasl.c

index ea98aa47ecdcdc39085a985a976874a0bc9d9b6b..1bcfe0490a82f00fb470987844783e625b51f950 100644 (file)
@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
           library for HMAC_MD4 encryption */
        mech = "NTLMSSP";
 
+       if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
+               DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n");
+               status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+               goto done;
+       }
+
        if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
                DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
                            " disallowed.\n");