mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
e157ea1e14
In FIPS mode we cannot rely on NTLMSSP at all, so we have ensure Kerberos is used by Samba Python libraries. This is achieved by requiring credentials objects to always use Kerberos authentication. Additionally, we have to normalize the principal used to authenticate. In case it was passed without realm, add forest root domain as a realm. In case it was passed with NetBIOS domain name, remove it and replace with a realm. Since we only know about the forest root domain as a realm, require that for other domains' users a real Kerberos principal is specified. Fixes: https://pagure.io/freeipa/issue/8655 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>