s3:libads: Disable NTLMSSP if not allowed (for builds without kerberos)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Pair-Programmed-With: Andreas Schneider <[email protected]> Signed-off-by: Pavel Filipenský <[email protected]> Signed-off-by: Andreas Schneider <[email protected]> Reviewed-by: Stefan Metzmacher <[email protected]>
Roo4L · Jan 21, 2022 · 17ea2cc · 17ea2cc
1 parent 5f6251a
commit 17ea2cc
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
@@ -617,6 +617,12 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
 	   library for HMAC_MD4 encryption */
 	mech = "NTLMSSP";
 
+	if (!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
+		DBG_WARNING("We can't use NTLMSSP, it is not allowed.\n");
+		status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
+		goto done;
+	}
+
 	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
 		DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
 			    " disallowed.\n");