git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fcf225a)
s3:winbindd: Do not set ADS_AUTH_ALLOW_NTLMSSP in FIPS mode
authorPavel Filipenský <pfilipen@redhat.com>
Tue, 18 Jan 2022 18:44:54 +0000 (19:44 +0100)
committerStefan Metzmacher <metze@samba.org>
Fri, 21 Jan 2022 23:33:36 +0000 (23:33 +0000)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
source3/winbindd/winbindd_ads.c patch | blob | history

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index e415df347e6f8aaf6da200ea5131dc2c5013e543..6f01ef6e334290feefd0fb9f7be35b5bf02c26f1 100644 (file)
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -34,6 +34,7 @@
 #include "../libds/common/flag_mapping.h"
 #include "libsmb/samlogon_cache.h"
 #include "passdb.h"
+#include "auth/credentials/credentials.h"
 
 #ifdef HAVE_ADS
 
@@ -102,6 +103,7 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
        ADS_STATUS status;
        struct sockaddr_storage dc_ss;
        fstring dc_name;
+       enum credentials_use_kerberos krb5_state;
 
        if (auth_realm == NULL) {
                return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
@@ -125,7 +127,22 @@ static ADS_STATUS ads_cached_connection_connect(ADS_STRUCT **adsp,
        ads->auth.renewable = renewable;
        ads->auth.password = password;
 
-       ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+       /* In FIPS mode, client use kerberos is forced to required. */
+       krb5_state = lp_client_use_kerberos();
+       switch (krb5_state) {
+       case CRED_USE_KERBEROS_REQUIRED:
+               ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+               ads->auth.flags &= ~ADS_AUTH_ALLOW_NTLMSSP;
+               break;
+       case CRED_USE_KERBEROS_DESIRED:
+               ads->auth.flags &= ~ADS_AUTH_DISABLE_KERBEROS;
+               ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+               break;
+       case CRED_USE_KERBEROS_DISABLED:
+               ads->auth.flags |= ADS_AUTH_DISABLE_KERBEROS;
+               ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+               break;
+       }
 
        ads->auth.realm = SMB_STRDUP(auth_realm);
        if (!strupper_m(ads->auth.realm)) {
Samba Shared Repository