[SCM] Samba Shared Repository - branch master updated

Alexander Bokovoy ab at samba.org
Sat Aug 17 12:00:01 UTC 2024


The branch, master has been updated
       via  3d98048a5a9 kdc: warn if DES-only keys enforced on the account
      from  31c9352099f docs-xml: Fix script location in syncmachinepasswordscript.xml

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 3d98048a5a94557d11f57a2057134dc90622aa37
Author: Alexander Bokovoy <ab at samba.org>
Date:   Fri Aug 16 11:24:12 2024 +0300

    kdc: warn if DES-only keys enforced on the account
    
    With MIT Kerberos 1.21+ DES is not available by default and will be
    refused. This means userAccountFlags with UF_DES_KEYS_ONLY will result
    in a likely authentication falure (unless allow_des=true is set in
    krb5.conf).
    
    Warn about such cases to give admins yet another chance to detect an
    error in setting userAccountFlags.
    
    Signed-off-by: Alexander Bokovoy <ab at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Alexander Bokovoy <ab at samba.org>
    Autobuild-Date(master): Sat Aug 17 11:59:01 UTC 2024 on atb-devel-224

-----------------------------------------------------------------------

Summary of changes:
 source4/kdc/db-glue.c | 3 +++
 1 file changed, 3 insertions(+)


Changeset truncated at 500 lines:

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 57007aef760..dd1c95cb925 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1741,6 +1741,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 	/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
 	if (userAccountControl & UF_USE_DES_KEY_ONLY) {
 		supported_enctypes &= ~ENC_ALL_TYPES;
+		DBG_NOTICE("DES-only keys allowed on the account '%s', "
+			   "most likely auth will fail through Kerberos\n",
+			   samAccountName);
 	}
 
 	if (protected_user) {


-- 
Samba Shared Repository



More information about the samba-cvs mailing list