[PATCHES] limit kerberos encryption types used by winbindd

Ira Cooper ira at wakeful.net
Sun Jul 24 12:08:36 UTC 2016 

On Sun, Jul 24, 2016 at 6:17 AM, Uri Simchoni <uri at samba.org> wrote:

> Hi,
>
> The attached patch set adds an smb.conf parameter which controls the
> Kerberos etypes placed in the krb5.conf file generated by winbindd and
> the net command (for some sub-commands such as net ads testjoin).
>
> It enables:
> 1. limiting the encryption types to AES at the client side to prevent
> downgrade attacks.
>
> 2. limiting encryption to RC4 to work around an issue with an RODC and a
> mixed env of 2003R2 and 2008R2 DCs.
>
> 1/4 - adds the parameter
> 2/4 - modify building of private krb5.conf to use the parameter
> 3/4 - a Heimdal fix for GSSAPI TGS requests which ignore krb5.conf (also
> sent upstream, still no resolution)
> 4/4 - a tshark-based test to ensure only configured etypes are being
> used in the actual Kerberos exchanges.
>
> Caveats:
> - Not tested with MIT, just with Heimdal (+1 to get those MIT patches in
> and have an MIT-based testenv!)
> - The test suite uses tshark and silently succeeds if it's not
> installed. This is so to avoid breaking people's dev env. It seems to be
> installed on sn-devel-1(0|4)4 so this arrangement will cause the test to
> run in autobuild, but it's not ideal and I'd appreciate suggestions on
> that.
>

Right now the MIT build is broken:


default/auth/credentials/credentials_krb5_7.o: In function
`cli_credentials_shallow_ccache':
/builddir/build/BUILD/samba-4.5.0/bin/../auth/credentials/credentials_krb5.c:766:
undefined reference to `krb5_cc_copy_cache'
collect2: error: ld returned 1 exit status
Waf: Leaving directory `/builddir/build/BUILD/samba-4.5.0/bin'
Build failed:  -> task failed (err #1):
    {task: cc_link
srv_keytab_8.o,credentials_1.o,secrets_6.o,credentials_krb5_7.o,credentials_ntlm_9.o,credentials_secrets_8.o,kerberos_util_6.o
-> libsamba-credentials.so}
Makefile:8: recipe for target 'all' failed
make: *** [all] Error 1

I'd be glad to compile your patch on F24, but well... This is a problem :).

Cheers,

-Ira

More information about the samba-technical mailing list