[PATCHES] limit kerberos encryption types used by winbindd

Günther Deschner gd at samba.org
Mon Jul 25 09:44:50 UTC 2016 

Hi Alexander,

buildpatch looks fine, rb+ and pushed to autobuild.

Thanks!
Guenther


On 24/07/16 14:49, Alexander Bokovoy wrote:
> On Sun, 24 Jul 2016, Ira Cooper wrote:
>> On Sun, Jul 24, 2016 at 6:17 AM, Uri Simchoni <uri at samba.org> wrote:
>>
>>> Hi,
>>>
>>> The attached patch set adds an smb.conf parameter which controls the
>>> Kerberos etypes placed in the krb5.conf file generated by winbindd and
>>> the net command (for some sub-commands such as net ads testjoin).
>>>
>>> It enables:
>>> 1. limiting the encryption types to AES at the client side to prevent
>>> downgrade attacks.
>>>
>>> 2. limiting encryption to RC4 to work around an issue with an RODC and a
>>> mixed env of 2003R2 and 2008R2 DCs.
>>>
>>> 1/4 - adds the parameter
>>> 2/4 - modify building of private krb5.conf to use the parameter
>>> 3/4 - a Heimdal fix for GSSAPI TGS requests which ignore krb5.conf (also
>>> sent upstream, still no resolution)
>>> 4/4 - a tshark-based test to ensure only configured etypes are being
>>> used in the actual Kerberos exchanges.
>>>
>>> Caveats:
>>> - Not tested with MIT, just with Heimdal (+1 to get those MIT patches in
>>> and have an MIT-based testenv!)
>>> - The test suite uses tshark and silently succeeds if it's not
>>> installed. This is so to avoid breaking people's dev env. It seems to be
>>> installed on sn-devel-1(0|4)4 so this arrangement will cause the test to
>>> run in autobuild, but it's not ideal and I'd appreciate suggestions on
>>> that.
>>>
>>
>> Right now the MIT build is broken:
>>
>>
>> default/auth/credentials/credentials_krb5_7.o: In function
>> `cli_credentials_shallow_ccache':
>> /builddir/build/BUILD/samba-4.5.0/bin/../auth/credentials/credentials_krb5.c:766:
>> undefined reference to `krb5_cc_copy_cache'
>> collect2: error: ld returned 1 exit status
>> Waf: Leaving directory `/builddir/build/BUILD/samba-4.5.0/bin'
>> Build failed:  -> task failed (err #1):
>>     {task: cc_link
>> srv_keytab_8.o,credentials_1.o,secrets_6.o,credentials_krb5_7.o,credentials_ntlm_9.o,credentials_secrets_8.o,kerberos_util_6.o
>> -> libsamba-credentials.so}
>> Makefile:8: recipe for target 'all' failed
>> make: *** [all] Error 1
>>
>> I'd be glad to compile your patch on F24, but well... This is a problem :).
> Attached patch should help.
> 


-- 
Günther Deschner                    GPG-ID: 8EE11688
Red Hat                         gdeschner at redhat.com
Samba Team                              gd at samba.org

More information about the samba-technical mailing list