If the certificate auto-enrollment GPO is enabled on domain members
(both in Samba's smb.conf and using Windows GPME tool), a CA
certificate may be fetched using a plain HTTP connection and installed
in the member computer's trust store. This may give an attacker a
chance to intercept the response, installing their chosen certificate
instead.

The URL from which the certificate is fetched follows a pattern used
by Microsoft's Network Device Enrollment Service (NDES) to provide
certificates to computers on the network that are not full domain
members. Domain members should already have access to these
certificates via better protected LDAP connections, so do not need the
NDES link (Samba uses no other part of NDES).

Pure Samba domains will not have auto-enrolment available, either
through LDAP or HTTP, as Samba does not currently implement Active
Directory Certificate Services. However, members of these domains are
still vulnerable if the GPO is enabled.

The patch removes the attempt to download the certificate and relies
on the LDAP values.