From bc868800276fe09cbcb206ebe4cb4da32af7599f Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Mon, 19 Jan 2026 16:18:02 +0000
Subject: [PATCH] s3/libsmb: block anon authentication fallback is use-kerberos
 = desired

When cli_credentials_get_kerberos_state returns CRED_USE_KERBEROS_REQUIRED
libsmbclient method SMBC_server_internal will still try to fallback to
anon NTLM. This patch prevents that.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15789
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Feb 17 16:06:18 UTC 2026 on atb-devel-224
---
 source3/libsmb/libsmb_server.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index 7b1def05f0b..46887d9d33e 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -617,6 +617,8 @@ SMBC_server_internal(TALLOC_CTX *ctx,
 		password_used = "";
 
                 if (smbc_getOptionNoAutoAnonymousLogin(context) ||
+		    cli_credentials_get_kerberos_state(creds) ==
+			    CRED_USE_KERBEROS_REQUIRED ||
 		    !NT_STATUS_IS_OK(cli_session_setup_anon(c))) {
 
                         cli_shutdown(c);
-- 
2.47.3