[PATCHES] limit kerberos encryption types used by winbindd

Ira Cooper ira at wakeful.net
Sun Jul 24 13:31:43 UTC 2016 

On Sun, Jul 24, 2016 at 8:49 AM, Alexander Bokovoy <ab at samba.org> wrote:

> On Sun, 24 Jul 2016, Ira Cooper wrote:
> > On Sun, Jul 24, 2016 at 6:17 AM, Uri Simchoni <uri at samba.org> wrote:
> >
> > > Hi,
> > >
> > > The attached patch set adds an smb.conf parameter which controls the
> > > Kerberos etypes placed in the krb5.conf file generated by winbindd and
> > > the net command (for some sub-commands such as net ads testjoin).
> > >
> > > It enables:
> > > 1. limiting the encryption types to AES at the client side to prevent
> > > downgrade attacks.
> > >
> > > 2. limiting encryption to RC4 to work around an issue with an RODC and
> a
> > > mixed env of 2003R2 and 2008R2 DCs.
> > >
> > > 1/4 - adds the parameter
> > > 2/4 - modify building of private krb5.conf to use the parameter
> > > 3/4 - a Heimdal fix for GSSAPI TGS requests which ignore krb5.conf
> (also
> > > sent upstream, still no resolution)
> > > 4/4 - a tshark-based test to ensure only configured etypes are being
> > > used in the actual Kerberos exchanges.
> > >
> > > Caveats:
> > > - Not tested with MIT, just with Heimdal (+1 to get those MIT patches
> in
> > > and have an MIT-based testenv!)
> > > - The test suite uses tshark and silently succeeds if it's not
> > > installed. This is so to avoid breaking people's dev env. It seems to
> be
> > > installed on sn-devel-1(0|4)4 so this arrangement will cause the test
> to
> > > run in autobuild, but it's not ideal and I'd appreciate suggestions on
> > > that.
> > >
> >
> > Right now the MIT build is broken:
> >
> >
> > default/auth/credentials/credentials_krb5_7.o: In function
> > `cli_credentials_shallow_ccache':
> >
> /builddir/build/BUILD/samba-4.5.0/bin/../auth/credentials/credentials_krb5.c:766:
> > undefined reference to `krb5_cc_copy_cache'
> > collect2: error: ld returned 1 exit status
> > Waf: Leaving directory `/builddir/build/BUILD/samba-4.5.0/bin'
> > Build failed:  -> task failed (err #1):
> >     {task: cc_link
> >
> srv_keytab_8.o,credentials_1.o,secrets_6.o,credentials_krb5_7.o,credentials_ntlm_9.o,credentials_secrets_8.o,kerberos_util_6.o
> > -> libsamba-credentials.so}
> > Makefile:8: recipe for target 'all' failed
> > make: *** [all] Error 1
> >
> > I'd be glad to compile your patch on F24, but well... This is a problem
> :).
> Attached patch should help.
>


That compiles.

I'll run Uri's patch at least, though my machine isn't a real test env.

Cheers,

-Ira

More information about the samba-technical mailing list