[SCM] Samba Shared Repository - branch v4-6-test updated

Karolin Seeger kseeger at samba.org
Wed Feb 21 14:15:02 UTC 2018


The branch, v4-6-test has been updated
       via  d0c6802 Revert "HEIMDAL:kdc: fix memory leak when decryption AuthorizationData"
       via  c190c37 Revert "HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()"
       via  e1a5f80 Revert "HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key"
       via  542382a Revert "s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob"
       via  fb65808 Revert "HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based on the server key"
       via  4afb9bd Revert "HEIMDAL:hdb: export a hdb_enctype_supported() helper function"
       via  cb60d1c Revert "s4:kdc: use the strongest possible tgs session key"
       via  0cd6906 Revert "TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers"
       via  89f27fa Revert "TODO s4:kdc: indicate support for new encryption types by adding empty keys"
       via  3a54a04 Revert "HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets"
      from  56a40ab samba: Only use async signal-safe functions in signal handler

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test


- Log -----------------------------------------------------------------
commit d0c6802bd6f5be279b95858a6a6920a1745c32a8
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Feb 21 10:15:23 2018 +0100

    Revert "HEIMDAL:kdc: fix memory leak when decryption AuthorizationData"
    
    This reverts commit 678a7a32473b1f64421cd905b7d535878eb11cab.
    
    Autobuild-User(v4-6-test): Karolin Seeger <kseeger at samba.org>
    Autobuild-Date(v4-6-test): Wed Feb 21 15:14:49 CET 2018 on sn-devel-144

commit c190c375403ec80c2c9b34f195c1c0fb6a172595
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Feb 21 10:15:23 2018 +0100

    Revert "HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()"
    
    This reverts commit e8988e614aaf269b24b072e483047bdcd80fef33.

commit e1a5f808c571a8c0d66c5407f8327d4648045847
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Feb 21 10:15:23 2018 +0100

    Revert "HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key"
    
    This reverts commit ec57c13dc378d15dad98efd59e86bcc2775c5b0a.

commit 542382aa2fba9ce43f77882963ccb13f84574a4f
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Feb 21 10:15:22 2018 +0100

    Revert "s4:kdc: fix the principal names in samba_kdc_update_delegation_info_blob"
    
    This reverts commit 2557d5c6235f7d24866163124fc254cfe81d3871.

commit fb65808bb2d1daf5bbf56b59ac3d9501da101cb4
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Feb 21 10:15:22 2018 +0100

    Revert "HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based on the server key"
    
    This reverts commit 03484706e4ff546fc7fe41124d896e9f7840fe80.

commit 4afb9bddeb074ecd3d8b3c704cfd91907f34c9fb
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Feb 21 10:15:22 2018 +0100

    Revert "HEIMDAL:hdb: export a hdb_enctype_supported() helper function"
    
    This reverts commit 18d7cf191718b3a30165a43271e503cc07ca5b50.

commit cb60d1c2175c32a4b3879d2c9e39a4760d17f78a
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Feb 21 10:15:22 2018 +0100

    Revert "s4:kdc: use the strongest possible tgs session key"
    
    This reverts commit 9fdf175905efde803941a5876ce7e060013fc9a0.

commit 0cd690617547366562fb1deed049f0c7ab129b3e
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Feb 21 10:15:22 2018 +0100

    Revert "TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers"
    
    This reverts commit fe146338f304a52f861777ada5774887fe0776e3.

commit 89f27fab18020c5b236a684359a1172981528425
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Feb 21 10:15:22 2018 +0100

    Revert "TODO s4:kdc: indicate support for new encryption types by adding empty keys"
    
    This reverts commit bf07697273017014516010475f79be3e59a2ce07.

commit 3a54a0497315430501a13f6397f3e2889197158a
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Feb 21 10:15:22 2018 +0100

    Revert "HEIMDAL:kdc: use the correct authtime from addtitional ticket for S4U2Proxy tickets"
    
    This reverts commit 9ecdf21e174ba7525b77035664428fbdcbf53690.

-----------------------------------------------------------------------

Summary of changes:
 source4/heimdal/kdc/kerberos5.c            |  20 ++---
 source4/heimdal/kdc/krb5tgs.c              | 127 ++++++++++++++---------------
 source4/heimdal/lib/hdb/hdb.c              |  30 +------
 source4/heimdal/lib/hdb/version-script.map |   1 -
 source4/kdc/db-glue.c                      |  73 +----------------
 source4/kdc/kdc-heimdal.c                  |   6 +-
 source4/kdc/pac-glue.c                     |   6 +-
 7 files changed, 80 insertions(+), 183 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index c6ec65e..3282d5e 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -131,7 +131,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
     krb5_error_code ret;
     krb5_salt def_salt;
     krb5_enctype enctype = ETYPE_NULL;
-    Key *key = NULL;
+    Key *key;
     int i;
 
     /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
@@ -159,34 +159,29 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
 
 	/* drive the search with local supported enctypes list */
 	p = krb5_kerberos_enctypes(context);
-	for (i = 0; p[i] != ETYPE_NULL && key == NULL; i++) {
+	for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) {
 	    if (krb5_enctype_valid(context, p[i]) != 0)
 		continue;
 
 	    /* check that the client supports it too */
-	    for (j = 0; j < len && key == NULL; j++) {
+	    for (j = 0; j < len && enctype == ETYPE_NULL; j++) {
 		if (p[i] != etypes[j])
 		    continue;
 		/* save best of union of { client, crypto system } */
 		if (clientbest == ETYPE_NULL)
 		    clientbest = p[i];
-		if (enctype == ETYPE_NULL) {
-		    ret = hdb_enctype_supported(context, &princ->entry, p[i]);
-		    if (ret == 0) {
-			enctype = p[i];
-		    }
-		}
 		/* check target princ support */
 		ret = hdb_enctype2key(context, &princ->entry, p[i], &key);
 		if (ret)
 		    continue;
 		if (is_preauth && !is_default_salt_p(&def_salt, key))
 		    continue;
+		enctype = p[i];
 	    }
 	}
 	if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL)
 	    enctype = clientbest;
-	else if (key == NULL)
+	else if (enctype == ETYPE_NULL)
 	    ret = KRB5KDC_ERR_ETYPE_NOSUPP;
 	if (ret == 0 && ret_enctype != NULL)
 	    *ret_enctype = enctype;
@@ -327,6 +322,7 @@ krb5_error_code
 _kdc_encode_reply(krb5_context context,
 		  krb5_kdc_configuration *config,
 		  KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek,
+		  krb5_enctype etype,
 		  int skvno, const EncryptionKey *skey,
 		  int ckvno, const EncryptionKey *reply_key,
 		  int rk_is_subkey,
@@ -353,7 +349,7 @@ _kdc_encode_reply(krb5_context context,
 	return KRB5KRB_ERR_GENERIC;
     }
 
-    ret = krb5_crypto_init(context, skey, 0, &crypto);
+    ret = krb5_crypto_init(context, skey, etype, &crypto);
     if (ret) {
         const char *msg;
 	free(buf);
@@ -1724,7 +1720,7 @@ _kdc_as_rep(krb5_context context,
     log_as_req(context, config, reply_key->keytype, setype, b);
 
     ret = _kdc_encode_reply(context, config,
-			    &rep, &et, &ek, server->entry.kvno,
+			    &rep, &et, &ek, setype, server->entry.kvno,
 			    &skey->key, client->entry.kvno,
 			    reply_key, 0, &e_text, reply);
     free_EncTicketPart(&et);
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index e11ad52..a888788 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -725,7 +725,6 @@ tgs_make_reply(krb5_context context,
 	       KDC_REQ_BODY *b,
 	       krb5_const_principal tgt_name,
 	       const EncTicketPart *tgt,
-	       const EncTicketPart *adtgt,
 	       const krb5_keyblock *replykey,
 	       int rk_is_subkey,
 	       const EncryptionKey *serverkey,
@@ -759,7 +758,7 @@ tgs_make_reply(krb5_context context,
     rep.pvno = 5;
     rep.msg_type = krb_tgs_rep;
 
-    et.authtime = adtgt->authtime;
+    et.authtime = tgt->authtime;
     _kdc_fix_time(&b->till);
     et.endtime = min(tgt->endtime, *b->till);
     ALLOC(et.starttime);
@@ -988,7 +987,7 @@ tgs_make_reply(krb5_context context,
        etype list, even if we don't want a session key with
        DES3? */
     ret = _kdc_encode_reply(context, config,
-			    &rep, &et, &ek,
+			    &rep, &et, &ek, et.key.keytype,
 			    kvno,
 			    serverkey, 0, replykey, rk_is_subkey,
 			    e_text, reply);
@@ -1160,6 +1159,7 @@ tgs_parse_request(krb5_context context,
 		  const struct sockaddr *from_addr,
 		  time_t **csec,
 		  int **cusec,
+		  AuthorizationData **auth_data,
 		  krb5_keyblock **replykey,
 		  int *rk_is_subkey)
 {
@@ -1170,11 +1170,14 @@ tgs_parse_request(krb5_context context,
     krb5_auth_context ac = NULL;
     krb5_flags ap_req_options;
     krb5_flags verify_ap_req_flags;
+    krb5_crypto crypto;
     Key *tkey;
     krb5_keyblock *subkey = NULL;
+    unsigned usage;
     krb5uint32 kvno = 0;
     krb5uint32 *kvno_ptr = NULL;
 
+    *auth_data = NULL;
     *csec  = NULL;
     *cusec = NULL;
     *replykey = NULL;
@@ -1325,6 +1328,7 @@ tgs_parse_request(krb5_context context,
 	goto out;
     }
 
+    usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
     *rk_is_subkey = 1;
 
     ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
@@ -1336,6 +1340,7 @@ tgs_parse_request(krb5_context context,
 	goto out;
     }
     if(subkey == NULL){
+	usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
 	*rk_is_subkey = 0;
 
 	ret = krb5_auth_con_getkey(context, ac, &subkey);
@@ -1357,6 +1362,47 @@ tgs_parse_request(krb5_context context,
 
     *replykey = subkey;
 
+    if (b->enc_authorization_data) {
+	krb5_data ad;
+
+	ret = krb5_crypto_init(context, subkey, 0, &crypto);
+	if (ret) {
+	    const char *msg = krb5_get_error_message(context, ret);
+	    krb5_auth_con_free(context, ac);
+	    kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
+	    krb5_free_error_message(context, msg);
+	    goto out;
+	}
+	ret = krb5_decrypt_EncryptedData (context,
+					  crypto,
+					  usage,
+					  b->enc_authorization_data,
+					  &ad);
+	krb5_crypto_destroy(context, crypto);
+	if(ret){
+	    krb5_auth_con_free(context, ac);
+	    kdc_log(context, config, 0,
+		    "Failed to decrypt enc-authorization-data");
+	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+	    goto out;
+	}
+	ALLOC(*auth_data);
+	if (*auth_data == NULL) {
+	    krb5_auth_con_free(context, ac);
+	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+	    goto out;
+	}
+	ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
+	if(ret){
+	    krb5_auth_con_free(context, ac);
+	    free(*auth_data);
+	    *auth_data = NULL;
+	    kdc_log(context, config, 0, "Failed to decode authorization data");
+	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+	    goto out;
+	}
+    }
+
     krb5_auth_con_free(context, ac);
 
 out:
@@ -1454,6 +1500,7 @@ tgs_build_reply(krb5_context context,
 		krb5_data *reply,
 		const char *from,
 		const char **e_text,
+		AuthorizationData **auth_data,
 		const struct sockaddr *from_addr)
 {
     krb5_error_code ret;
@@ -1469,9 +1516,6 @@ tgs_build_reply(krb5_context context,
     krb5_keyblock sessionkey;
     krb5_kvno kvno;
     krb5_data rspac;
-    AuthorizationData *auth_data = NULL;
-    const EncryptionKey *auth_data_key = replykey;
-    unsigned auth_data_usage;
 
     hdb_entry_ex *krbtgt_out = NULL;
 
@@ -1481,7 +1525,6 @@ tgs_build_reply(krb5_context context,
     Realm r;
     int nloop = 0;
     EncTicketPart adtkt;
-    EncTicketPart *adtgt = tgt;
     char opt_str[128];
     int signedpath = 0;
 
@@ -1497,12 +1540,6 @@ tgs_build_reply(krb5_context context,
     s = b->sname;
     r = b->realm;
 
-    if (rk_is_subkey != 0) {
-	auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
-    } else {
-	auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
-    }
-
     if (b->kdc_options.canonicalize)
 	flags |= HDB_F_CANON;
 
@@ -1705,7 +1742,7 @@ server_lookup:
 
 	    ret = _kdc_find_etype(context,
 				  config->tgs_use_strongest_session_key, FALSE,
-				  server, b->etype.val, b->etype.len, &etype,
+				  server, b->etype.val, b->etype.len, NULL,
 				  &skey);
 	    if(ret) {
 		kdc_log(context, config, 0,
@@ -1713,6 +1750,7 @@ server_lookup:
 		goto out;
 	    }
 	    ekey = &skey->key;
+	    etype = skey->key.keytype;
 	    kvno = server->entry.kvno;
 	}
 
@@ -2145,55 +2183,10 @@ server_lookup:
 	    goto out;
 	}
 
-	if (rk_is_subkey == 0) {
-	    auth_data_key = &adtkt.key;
-	}
-	adtgt = &adtkt;
 	kdc_log(context, config, 0, "constrained delegation for %s "
 		"from %s (%s) to %s", tpn, cpn, dpn, spn);
     }
 
-    if (b->enc_authorization_data) {
-	krb5_data ad;
-	krb5_crypto crypto;
-
-	ret = krb5_crypto_init(context, auth_data_key, 0, &crypto);
-	if (ret) {
-	    const char *msg = krb5_get_error_message(context, ret);
-	    kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
-	    krb5_free_error_message(context, msg);
-	    goto out;
-	}
-
-	ret = krb5_decrypt_EncryptedData (context,
-					  crypto,
-					  auth_data_usage,
-					  b->enc_authorization_data,
-					  &ad);
-	krb5_crypto_destroy(context, crypto);
-	if(ret){
-	    kdc_log(context, config, 0,
-		    "Failed to decrypt enc-authorization-data");
-	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
-	    goto out;
-	}
-	ALLOC(auth_data);
-	if (auth_data == NULL) {
-	    krb5_data_free(&ad);
-	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
-	    goto out;
-	}
-	ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL);
-	krb5_data_free(&ad);
-	if(ret){
-	    free(auth_data);
-	    auth_data = NULL;
-	    kdc_log(context, config, 0, "Failed to decode authorization data");
-	    ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
-	    goto out;
-	}
-    }
-
     /*
      * Check flags
      */
@@ -2264,13 +2257,12 @@ server_lookup:
 			 b,
 			 tp,
 			 tgt,
-			 adtgt,
 			 replykey,
 			 rk_is_subkey,
 			 ekey,
 			 &sessionkey,
 			 kvno,
-			 auth_data,
+			 *auth_data,
 			 server,
 			 server->entry.principal,
 			 spn,
@@ -2315,11 +2307,6 @@ out:
 	free(ref_realm);
     free_METHOD_DATA(&enc_pa_data);
 
-    if (auth_data) {
-       free_AuthorizationData(auth_data);
-       free(auth_data);
-    }
-
     free_EncTicketPart(&adtkt);
 
     return ret;
@@ -2338,6 +2325,7 @@ _kdc_tgs_rep(krb5_context context,
 	     struct sockaddr *from_addr,
 	     int datagram_reply)
 {
+    AuthorizationData *auth_data = NULL;
     krb5_error_code ret;
     int i = 0;
     const PA_DATA *tgs_req;
@@ -2376,6 +2364,7 @@ _kdc_tgs_rep(krb5_context context,
 			    &e_text,
 			    from, from_addr,
 			    &csec, &cusec,
+			    &auth_data,
 			    &replykey,
 			    &rk_is_subkey);
     if (ret == HDB_ERR_NOT_FOUND_HERE) {
@@ -2400,6 +2389,7 @@ _kdc_tgs_rep(krb5_context context,
 			  data,
 			  from,
 			  &e_text,
+			  &auth_data,
 			  from_addr);
     if (ret) {
 	kdc_log(context, config, 0,
@@ -2436,5 +2426,10 @@ out:
     if(krbtgt)
 	_kdc_free_ent(context, krbtgt);
 
+    if (auth_data) {
+	free_AuthorizationData(auth_data);
+	free(auth_data);
+    }
+
     return ret;
 }
diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c
index 4c8df93..5dc5a09 100644
--- a/source4/heimdal/lib/hdb/hdb.c
+++ b/source4/heimdal/lib/hdb/hdb.c
@@ -93,12 +93,11 @@ static struct hdb_method dbmetod =
 #endif
 
 
-static krb5_error_code
-_hdb_next_enctype2key(krb5_context context,
+krb5_error_code
+hdb_next_enctype2key(krb5_context context,
 		     const hdb_entry *e,
 		     krb5_enctype enctype,
-		     Key **key,
-		     bool require_key)
+		     Key **key)
 {
     Key *k;
 
@@ -106,10 +105,6 @@ _hdb_next_enctype2key(krb5_context context,
 	 k < e->keys.val + e->keys.len;
 	 k++)
     {
-	if (require_key && k->key.keyvalue.length == 0) {
-	    continue;
-	}
-
 	if(k->key.keytype == enctype){
 	    *key = k;
 	    return 0;
@@ -121,16 +116,6 @@ _hdb_next_enctype2key(krb5_context context,
     return KRB5_PROG_ETYPE_NOSUPP; /* XXX */
 }
 
-
-krb5_error_code
-hdb_next_enctype2key(krb5_context context,
-		     const hdb_entry *e,
-		     krb5_enctype enctype,
-		     Key **key)
-{
-	return _hdb_next_enctype2key(context, e, enctype, key, true);
-}
-
 krb5_error_code
 hdb_enctype2key(krb5_context context,
 		hdb_entry *e,
@@ -141,15 +126,6 @@ hdb_enctype2key(krb5_context context,
     return hdb_next_enctype2key(context, e, enctype, key);
 }
 
-krb5_error_code
-hdb_enctype_supported(krb5_context context,
-		hdb_entry *e,
-		krb5_enctype enctype)
-{
-    Key *key = NULL;
-    return _hdb_next_enctype2key(context, e, enctype, &key, false);
-}
-
 void
 hdb_free_key(Key *key)
 {
diff --git a/source4/heimdal/lib/hdb/version-script.map b/source4/heimdal/lib/hdb/version-script.map
index c4bd8f4..f80fb78 100644
--- a/source4/heimdal/lib/hdb/version-script.map
+++ b/source4/heimdal/lib/hdb/version-script.map
@@ -20,7 +20,6 @@ HEIMDAL_HDB_1.0 {
 		hdb_dbinfo_get_realm;
 		hdb_default_db;
 		hdb_enctype2key;
-		hdb_enctype_supported;
 		hdb_entry2string;
 		hdb_entry2value;
 		hdb_entry_alias2value;
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index bfd940c..bf55bef 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -267,7 +267,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 						    bool is_rodc,
 						    uint32_t userAccountControl,
 						    enum samba_kdc_ent_type ent_type,
-						    unsigned flags,
 						    struct sdb_entry_ex *entry_ex)
 {
 	krb5_error_code ret = 0;
@@ -288,38 +287,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 		= ldb_msg_find_attr_as_uint(msg,
 					    "msDS-SupportedEncryptionTypes",
 					    0);
-	uint32_t new_session_enctypes = 0;
-	const krb5_enctype newer_enctypes[] = {
-		ENCTYPE_AES256_CTS_HMAC_SHA1_96,
-		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-	};
-
-	switch (ent_type) {
-	case SAMBA_KDC_ENT_TYPE_CLIENT:
-	case SAMBA_KDC_ENT_TYPE_ANY:
-		break;
-	case SAMBA_KDC_ENT_TYPE_SERVER:
-	case SAMBA_KDC_ENT_TYPE_KRBTGT:
-	case SAMBA_KDC_ENT_TYPE_TRUST:
-		if (flags & (SDB_F_FOR_AS_REQ|SDB_F_FOR_TGS_REQ)) {
-			/*
-			 * We should indicate support for new encryption
-			 * types (for session keys) via empty keyvalues,
-			 * in case we don't have stored keys for such encryption
-			 * types.
-			 */
-			new_session_enctypes = supported_enctypes;
-		}
-		break;
-	}
-
-	if (userAccountControl & UF_NORMAL_ACCOUNT) {
-		supported_enctypes = 0;
-	}
-	if (supported_enctypes == 0) {
-		/* Otherwise, add in the default enc types */
-		supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
-	}
 
 	if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
 		/* KDCs (and KDCs on RODCs) use AES */
@@ -341,7 +308,7 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 	/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
 	if (userAccountControl & UF_USE_DES_KEY_ONLY) {
 		supported_enctypes = ENC_CRC32|ENC_RSA_MD5;


-- 
Samba Shared Repository



More information about the samba-cvs mailing list