From 515cffb1f20eacb041ff7b3d43f8a122a82ddfbd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 4 Sep 2020 17:00:45 +0200
Subject: [PATCH] auth:gensec: If Kerberos is required, keep schannel for
 machine account auth

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
---
 auth/gensec/gensec_start.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index be199358ffc..4996e13e027 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -170,6 +170,15 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
 			if (cli_credentials_get_netlogon_creds(creds) != NULL) {
 				keep_schannel = true;
 			}
+
+			/*
+			 * Even if Kerberos is set to REQUIRED, keep the
+			 * schannel auth mechanism that machine accounts are
+			 * able to authenticate via netlogon.
+			 */
+			if (gensec_security->gensec_role == GENSEC_SERVER) {
+				keep_schannel = true;
+			}
 		}
 
 		if (gensec_security->settings->backends) {
-- 
2.34.1