Created attachment 16604 [details]
Set ADS_AUTH_ALLOW_NTLMSSP for net ads commands
Currently, when we use net ads commands (tested with net ads testuser and net ads join), even if we provide username and password, if KDC is not reachable, there is no fallback to NTLMSSP.
To fallback to NTLMSSP if KDC is not reachable, we need to set
ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
Attached patch worked for me to fix this issue.
There is already 'client use kerberos' switch (desired / required / off). I suggest to rewrite the check to use lp_client_use_kerberos() to check whether a fallback to NTLMSSP is allowed.
This will not work in FIPS mode and we should not fallback to NTLMSSP there. 'client use kerberos' will be forced to 'required' in FIPS mode and thus you can easily check the state.
(In reply to Alexander Bokovoy from comment #1)
The parameter "client use kerberos" should be fine to use in this case. But, in the version of Samba that we are using, this parameter is not present. So, I won't be able to test it.
It is available in git master.
What Alexander is trying to say is that per:
Samba development is on 'git master', and new features always start there before being backported. This means that they are automatically included in new versions, etc.
When developing for master, patches should take into account the new environment found there, so as we have 'client use kerberos' in master it should be used. This may prevent a backport, or mean a backport has to be modified, but at least the patch will be in Samba long-term, should it be useful and accepted.
I hope this clarifies things,
(In reply to Andrew Bartlett from comment #4)
Thanks for clarification Andrew. I will rebase the patch on top of master and submit it