[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Nov 16 14:25:01 MST 2010
The branch, master has been updated
via deed2a9 s4-kdc Rework supported encryption type logic to match Microsoft
from d451ac1 s4:acl LDB module - use also here "dsdb_find_nc_root" to implement the NC-specific checks
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit deed2a935b0ebd615929e21ec423204d44ada067
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 16 21:01:22 2010 +1100
s4-kdc Rework supported encryption type logic to match Microsoft
Thanks to Hongwei Sun for the clear description of the algorithim
involved. Importantly, it isn't possible to remove encryption types
from the list, only to add them over the defaults (DES and
arcfour-hmac-md5, and additional AES for DCs and RODCs).
This changes the behaviour for entries with
msDS-supportedEncryptionTypes: 0, which Angelos Oikonomopoulos
reported finding set by ADUC when attempting to store cleartext
passwords.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Tue Nov 16 21:24:43 UTC 2010 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
source4/kdc/db-glue.c | 53 ++++++++++++++----------------------------------
1 files changed, 16 insertions(+), 37 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index b062282..215b230 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -214,35 +214,34 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
uint16_t i;
uint16_t allocated_keys = 0;
int rodc_krbtgt_number = 0;
- uint32_t supported_enctypes;
+ uint32_t supported_enctypes
+ = ldb_msg_find_attr_as_uint(msg,
+ "msDS-SupportedEncryptionTypes",
+ 0);
if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
- /* KDCs (and KDCs on RODCs) use AES, but not DES */
- supported_enctypes = ENC_ALL_TYPES;
- supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
+ /* KDCs (and KDCs on RODCs) use AES */
+ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
} else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
/* DCs and RODCs comptuer accounts use AES */
- supported_enctypes = ENC_ALL_TYPES;
+ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
} else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT ||
(ent_type == SAMBA_KDC_ENT_TYPE_ANY)) {
/* for AS-REQ the client chooses the enc types it
* supports, and this will vary between computers a
- * user logs in from. However, some accounts may be
- * banned from using DES, so allow the default to be
- * overridden
+ * user logs in from.
*
* likewise for 'any' return as much as is supported,
* to export into a keytab */
- supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
- ENC_ALL_TYPES);
+ supported_enctypes = ENC_ALL_TYPES;
+ }
+
+ /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
+ if (userAccountControl & UF_USE_DES_KEY_ONLY) {
+ supported_enctypes = ENC_CRC32|ENC_RSA_MD5;
} else {
- /* However, if this is a TGS-REQ, then lock it down to
- * a reasonable guess as to what the server can decode
- * - we must use whatever is in
- * "msDS-SupportedEncryptionTypes", or the 'old' set
- * of keys (ie, what Windows 2000 supported) */
- supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
- ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5);
+ /* Otherwise, add in the default enc types */
+ supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
}
/* Is this the krbtgt or a RODC krbtgt */
@@ -255,26 +254,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
}
- /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
- if (userAccountControl & UF_USE_DES_KEY_ONLY) {
- /* However, this still won't allow use of DES, if we
- * were told not to by msDS-SupportedEncTypes */
- supported_enctypes &= ENC_CRC32|ENC_RSA_MD5;
- } else {
- switch (ent_type) {
- case SAMBA_KDC_ENT_TYPE_KRBTGT:
- case SAMBA_KDC_ENT_TYPE_TRUST:
- /* Unless a very special effort it made,
- * disallow trust tickets to be DES encrypted,
- * it's just too dangerous */
- supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
- break;
- default:
- break;
- /* No further restrictions */
- }
- }
-
entry_ex->entry.keys.val = NULL;
entry_ex->entry.keys.len = 0;
--
Samba Shared Repository
More information about the samba-cvs
mailing list