s3:libnet: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955 Pair-Programmed-With: Andreas Schneider <[email protected]> Signed-off-by: Pavel Filipenský <[email protected]> Signed-off-by: Andreas Schneider <[email protected]> Reviewed-by: Stefan Metzmacher <[email protected]> Autobuild-User(master): Stefan Metzmacher <[email protected]> Autobuild-Date(master): Sat Jan 22 00:27:52 UTC 2022 on sn-devel-184
Roo4L · Jan 22, 2022 · fa5413b · fa5413b
1 parent f03abae
commit fa5413b
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
@@ -139,6 +139,7 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
 	ADS_STATUS status;
 	ADS_STRUCT *my_ads = NULL;
 	char *cp;
+	enum credentials_use_kerberos krb5_state;
 
 	my_ads = ads_init(dns_domain_name,
 			  netbios_domain_name,
@@ -148,7 +149,22 @@ static ADS_STATUS libnet_connect_ads(const char *dns_domain_name,
 		return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
 	}
 
-	my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+	/* In FIPS mode, client use kerberos is forced to required. */
+	krb5_state = lp_client_use_kerberos();
+	switch (krb5_state) {
+	case CRED_USE_KERBEROS_REQUIRED:
+		my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+		my_ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+		break;
+	case CRED_USE_KERBEROS_DESIRED:
+		my_ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+		my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+		break;
+	case CRED_USE_KERBEROS_DISABLED:
+		my_ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+		my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+		break;
+	}
 
 	if (user_name) {
 		SAFE_FREE(my_ads->auth.user_name);