sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-24 02:04:21 +03:00
Code

s3:libads: Disable NTLMSSP for FIPS

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Pair-Programmed-With: Andreas Schneider <asn@samba.org>

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Pavel Filipenský 2021-12-09 13:43:08 +01:00 committed by Stefan Metzmacher
parent 49d18f2d6e
commit 7785eb9b78
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
source3/libads/sasl.c
View File

@ -604,7 +604,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
DEBUG(1,("ads_sasl_spnego_gensec_bind(KRB5) failed "
"for %s/%s with user[%s] realm[%s]: %s, "
"fallback to NTLMSSP\n",
"try to fallback to NTLMSSP\n",
p.service, p.hostname,
ads->auth.user_name,
ads->auth.realm,
@ -616,6 +616,14 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
to sync clocks, and we don't rely on special versions of the krb5
library for HMAC_MD4 encryption */
mech = "NTLMSSP";
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
DBG_WARNING("We can't fallback to NTLMSSP, weak crypto is"
" disallowed.\n");
status = ADS_ERROR_NT(NT_STATUS_NETWORK_CREDENTIAL_CONFLICT);
goto done;
}
status = ads_sasl_spnego_gensec_bind(ads, "GSS-SPNEGO",
CRED_USE_KERBEROS_DISABLED,
p.service, p.hostname,