From a00726593c2f3b464e48c22e7a757aa1a06ecff2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 8 Apr 2021 15:45:42 +0200
Subject: [PATCH] s4:rpc_server: Set Kerberos to desired

This is required for ncalrpc_as_system to work. In FIPS enabled mode,
'client use kerberos' is forced to required. We need to allow
non-kerberos use for ncalrpc_as_system here.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/rpc_server/dcerpc_server.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index 2b63305cde2..17bcbf42cbb 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -679,6 +679,7 @@ NTSTATUS dcesrv_gensec_prepare(
 	struct cli_credentials *server_creds = NULL;
 	struct imessaging_context *imsg_ctx =
 		dcesrv_imessaging_context(call->conn);
+	bool ok;
 
 	server_creds = cli_credentials_init_server(call->auth_state,
 						   call->conn->dce_ctx->lp_ctx);
@@ -686,6 +687,14 @@ NTSTATUS dcesrv_gensec_prepare(
 		DEBUG(1, ("Failed to init server credentials\n"));
 		return NT_STATUS_NO_MEMORY;
 	}
+	/* This is required for ncalrpc_as_system. */
+	ok = cli_credentials_set_kerberos_state(server_creds,
+						CRED_USE_KERBEROS_DESIRED,
+						CRED_SPECIFIED);
+	if (!ok) {
+		DBG_WARNING("Failed to set kerberos state\n");
+		return NT_STATUS_INTERNAL_ERROR;
+	}
 
 	return samba_server_gensec_start(mem_ctx,
 					 call->event_ctx,
-- 
2.47.3