[PATCH] Remove conditional compilation based on ENCTYPE_ARCFOUR_HMAC

Andrew Bartlett abartlet at samba.org
Tue Aug 10 06:15:11 MDT 2010

While working with Tridge, I noticed issues with the way we compile
Samba's kerberos helper functions, and in particular the compatibility
logic for old kerberos libraries that don't support the arcfour-hmac-md5
encryption type, introduced by Microsoft with AD in 2000.

These two patches remove the conditional compilation based on the
availability of this define in the header, as not only is this not
reliable (Heimdal uses a enum, MIT a define), it forces the setting of
the 'UF_USE_DES_KEY_ONLY' setting on the machine account during the
join, which greatly reduces the security of the kerberos exchange, or
worse still renders the join useless. 

This will mean that we drop ADS support on really, really old Kerberos
libraries.  I would argue that 10 years is enough time for such
libraries to catch up, even on very old systems, or that Samba should be
compiled against another library (as was done by SerNet with a static
Heimdal for some time, if I recall correctly).

Modern Kerberos libraries consider these encryption types so poorly that
they turn them off by default.  These patches reduce complexity by
rightly assuming that a more modern encryption type is available at
compile time, if we want to do Kerberos at all.  It is this that caused
the join failures in testing I was doing with Tridge - the 'net' binary
doing the join set UF_USE_DES_KEY_ONLY, because it thought that the
library didn't have arcfour-hmac-md5, but the library disabled DES,
leaving a broken join 'Kinit failed: not support for encryption type'

Once I resolved this, I also noticed that this was masking the
non-compilation of libnet_vampire_keytab.c

As I say in the commit message, the further step of not using DES (now
that we assume arcfour-hmac-md5 is in the library) could be taken, one
this is handled. 

Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-krb5-Only-build-ADS-support-if-arcfour-hmac-md5-i.patch
Type: text/x-patch
Size: 8320 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100810/50d869a1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s3-libnet-Add-other-required-headers-for-libnet_sams.patch
Type: text/x-patch
Size: 882 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100810/50d869a1/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100810/50d869a1/attachment.pgp>

More information about the samba-technical mailing list