From 270499b1c9ed4a010da265954314bfb5ffcd9eca Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 28 Oct 2024 16:54:48 +0100
Subject: [PATCH] libcli/auth: return INVALID_PARAMETER for DES in
 netlogon_creds_{de,en}crypt_samlogon_logon

For the NetlogonGenericInformation case we want an error instead of no
encryption if only DES was negotiated...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 131f5c0b251e456c466eaca744525504e1d69492)
---
 libcli/auth/credentials.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index ec5552e60c0..4fcd1ff96c5 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -1114,6 +1114,7 @@ static NTSTATUS netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_Creden
 			}
 		} else {
 			/* Using DES to verify kerberos tickets makes no sense */
+			return NT_STATUS_INVALID_PARAMETER;
 		}
 		break;
 	}
-- 
2.47.2