[SCM] Samba Shared Repository - branch v3-6-test updated
Karolin Seeger
kseeger at samba.org
Thu Nov 15 00:56:56 MST 2012
The branch, v3-6-test has been updated
via ffdd0a8 s3-kerberos: also try with AES keys, when decrypting tickets.
via a176370 s3-libsmb: make sure we copy at most 16 bytes in cli_set_session_key().
via bad5239 samba: check for AES encryption type defines.
from 8ba1bdf s3:winbind: BUG 9386: Failover if netlogon pipe is not available.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit ffdd0a86ac9cb5fbee67d27958b65872873a009b
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 13 16:23:52 2012 +0100
s3-kerberos: also try with AES keys, when decrypting tickets.
Guenther
The last 3 patches address bug #9272 - net ads join does not provide AES keys
in host keytab.
commit a176370f3e245221b9b9ccaa0fae8ecac8594d1c
Author: Günther Deschner <gd at samba.org>
Date: Tue Nov 13 15:11:08 2012 +0100
s3-libsmb: make sure we copy at most 16 bytes in cli_set_session_key().
Guenther
commit bad52390260caa31eabe7c1b2334c56088447909
Author: Günther Deschner <gd at samba.org>
Date: Thu Dec 15 17:50:33 2011 +0100
samba: check for AES encryption type defines.
Guenther
Autobuild-User: Günther Deschner <gd at samba.org>
Autobuild-Date: Tue Jan 10 15:05:38 CET 2012 on sn-devel-104
-----------------------------------------------------------------------
Summary of changes:
source3/configure.in | 21 +++++++++++++++++++++
source3/libads/kerberos_verify.c | 6 ++++++
source3/libsmb/cliconnect.c | 4 +++-
source3/wscript | 2 ++
4 files changed, 32 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/configure.in b/source3/configure.in
index 014d844..2018a6e 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -4156,6 +4156,27 @@ if test x"$with_ads_support" != x"no"; then
found_arcfour_hmac=yes
fi
+ AC_CACHE_CHECK([for ENCTYPE_AES128_CTS_HMAC_SHA1_96],
+ samba_cv_HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_enctype enctype; enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;],
+ samba_cv_HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96=yes,
+ samba_cv_HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96=no)])
+ if test x"$samba_cv_HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96" = x"yes"; then
+ AC_DEFINE(HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96,1,
+ [Whether the ENCTYPE_AES128_CTS_HMAC_SHA1_96 key type definition is available])
+ fi
+ AC_CACHE_CHECK([for ENCTYPE_AES256_CTS_HMAC_SHA1_96],
+ samba_cv_HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96,[
+ AC_TRY_COMPILE([#include <krb5.h>],
+ [krb5_enctype enctype; enctype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;],
+ samba_cv_HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96=yes,
+ samba_cv_HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96=no)])
+ if test x"$samba_cv_HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96" = x"yes"; then
+ AC_DEFINE(HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96,1,
+ [Whether the ENCTYPE_AES256_CTS_HMAC_SHA1_96 key type definition is available])
+ fi
+
AC_CACHE_CHECK([for AP_OPTS_USE_SUBKEY],
samba_cv_HAVE_AP_OPTS_USE_SUBKEY,[
AC_TRY_COMPILE([#include <krb5.h>],
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index d4c68cd..56daf8f 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -344,6 +344,12 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context,
/* Let's make some room for 2 password (old and new)*/
krb5_data passwords[2];
krb5_enctype enctypes[] = {
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+#endif
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#endif
ENCTYPE_ARCFOUR_HMAC,
ENCTYPE_DES_CBC_CRC,
ENCTYPE_DES_CBC_MD5,
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index f03219b..8653ba7 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -94,7 +94,9 @@ static NTSTATUS smb_bytes_talloc_string(struct cli_state *cli,
static void cli_set_session_key (struct cli_state *cli, const DATA_BLOB session_key)
{
- cli->user_session_key = data_blob(session_key.data, session_key.length);
+ cli->user_session_key = data_blob(NULL, 16);
+ data_blob_clear(&cli->user_session_key);
+ memcpy(cli->user_session_key.data, session_key.data, MIN(session_key.length, 16));
}
/****************************************************************************
diff --git a/source3/wscript b/source3/wscript
index 1ea3559..b40848d 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -661,6 +661,8 @@ krb5_get_credentials_for_user krb5_get_host_realm krb5_free_host_realm''',
conf.CHECK_VARIABLE('KV5M_KEYTAB', headers='krb5.h')
conf.CHECK_VARIABLE('KRB5_KU_OTHER_CKSUM', headers='krb5.h')
conf.CHECK_VARIABLE('KRB5_KEYUSAGE_APP_DATA_CKSUM', headers='krb5.h')
+ conf.CHECK_VARIABLE('ENCTYPE_AES128_CTS_HMAC_SHA1_96', headers='krb5.h')
+ conf.CHECK_VARIABLE('ENCTYPE_AES256_CTS_HMAC_SHA1_96', headers='krb5.h')
conf.CHECK_STRUCTURE_MEMBER('krb5_keytab_entry', 'key', headers='krb5.h',
define='HAVE_KRB5_KEYTAB_ENTRY_KEY')
conf.CHECK_STRUCTURE_MEMBER('krb5_keytab_entry', 'keyblock', headers='krb5.h',
--
Samba Shared Repository
More information about the samba-cvs
mailing list