From: Pavel Filipenský Date: Tue, 18 Jan 2022 18:44:54 +0000 (+0100) Subject: s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode X-Git-Tag: tdb-1.4.6~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f03abaec2abbd22b9dc83ce4a103b1b3a2912d96;p=thirdparty%2Fsamba.git s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Pair-Programmed-With: Andreas Schneider Signed-off-by: Pavel Filipenský Signed-off-by: Andreas Schneider Reviewed-by: Stefan Metzmacher --- diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c index e415df347e6..6f01ef6e334 100644 --- a/source3/winbindd/winbindd_ads.c +++ b/source3/winbindd/winbindd_ads.c @@ -34,6 +34,7 @@ #include "../libds/common/flag_mapping.h" #include "libsmb/samlogon_cache.h" #include "passdb.h" +#include "auth/credentials/credentials.h" #ifdef HAVE_ADS @@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, ADS_STATUS status; struct sockaddr_storage dc_ss; fstring dc_name; + enum credentials_use_kerberos krb5_state; if (auth_realm == NULL) { return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); @@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp, ads->auth.renewable = renewable; ads->auth.password = password; - ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; + /* In FIPS mode, client use kerberos is forced to required. */ + krb5_state = lp_client_use_kerberos(); + switch (krb5_state) { + case CRED_USE_KERBEROS_REQUIRED: + ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; + ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP; + break; + case CRED_USE_KERBEROS_DESIRED: + ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS; + ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; + break; + case CRED_USE_KERBEROS_DISABLED: + ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS; + ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP; + break; + } ads->auth.realm = SMB_STRDUP(auth_realm); if (!strupper_m(ads->auth.realm)) {