[PATCHES] limit kerberos encryption types used by winbindd

Ira Cooper ira at wakeful.net
Sun Jul 24 12:08:36 UTC 2016

On Sun, Jul 24, 2016 at 6:17 AM, Uri Simchoni <uri at samba.org> wrote:

> Hi,
> The attached patch set adds an smb.conf parameter which controls the
> Kerberos etypes placed in the krb5.conf file generated by winbindd and
> the net command (for some sub-commands such as net ads testjoin).
> It enables:
> 1. limiting the encryption types to AES at the client side to prevent
> downgrade attacks.
> 2. limiting encryption to RC4 to work around an issue with an RODC and a
> mixed env of 2003R2 and 2008R2 DCs.
> 1/4 - adds the parameter
> 2/4 - modify building of private krb5.conf to use the parameter
> 3/4 - a Heimdal fix for GSSAPI TGS requests which ignore krb5.conf (also
> sent upstream, still no resolution)
> 4/4 - a tshark-based test to ensure only configured etypes are being
> used in the actual Kerberos exchanges.
> Caveats:
> - Not tested with MIT, just with Heimdal (+1 to get those MIT patches in
> and have an MIT-based testenv!)
> - The test suite uses tshark and silently succeeds if it's not
> installed. This is so to avoid breaking people's dev env. It seems to be
> installed on sn-devel-1(0|4)4 so this arrangement will cause the test to
> run in autobuild, but it's not ideal and I'd appreciate suggestions on
> that.

Right now the MIT build is broken:

default/auth/credentials/credentials_krb5_7.o: In function
undefined reference to `krb5_cc_copy_cache'
collect2: error: ld returned 1 exit status
Waf: Leaving directory `/builddir/build/BUILD/samba-4.5.0/bin'
Build failed:  -> task failed (err #1):
    {task: cc_link
-> libsamba-credentials.so}
Makefile:8: recipe for target 'all' failed
make: *** [all] Error 1

I'd be glad to compile your patch on F24, but well... This is a problem :).



More information about the samba-technical mailing list