From f5a5b00033a3d9d55cb8661d1cf5e63facc1ea72 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 11 Aug 2020 11:18:17 +0200
Subject: [PATCH 3/4] service: use net ads join with -k for user join as well

The NTLM authentication used by 'net ads join' does only support crypto
algorithms which e.g. are not allowed by FIPS. It would be better to
tell 'net ads join' to try Kerberos first before falling back to NTLM by
adding the '-k' option.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1859503
---
 service/realm-samba-enroll.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/service/realm-samba-enroll.c b/service/realm-samba-enroll.c
index f5edca3..3f86c51 100644
--- a/service/realm-samba-enroll.c
+++ b/service/realm-samba-enroll.c
@@ -372,7 +372,8 @@ begin_join (GTask *task,
 	} else if (join->user_name) {
 		begin_net_process (join, join->password_input,
 		                   on_join_do_keytab, g_object_ref (task),
-		                   "-U", join->user_name, "ads", "join", join->disco->domain_name,
+		                   "-U", join->user_name,
+		                   "-k", "ads", "join", join->disco->domain_name,
 		                   join->join_args[0], join->join_args[1],
 		                   join->join_args[2], join->join_args[3],
 		                   join->join_args[4], NULL);
-- 
2.26.2