--- /dev/null
+<samba:parameter name="kdc default domain supported enctypes"
+ type="integer"
+ context="G"
+ handler="handle_kdc_default_domain_supported_enctypes"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ Set the default value of <constant>msDS-SupportedEncryptionTypes</constant> for service accounts in Active Directory that are missing this value or where <constant>msDS-SupportedEncryptionTypes</constant> is set to 0.
+ </para>
+
+ <para>
+ This allows Samba administrators to match the configuration flexibility provided by the
+ <constant>HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes</constant> Registry Value on Windows.
+ </para>
+ <para>
+ Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed in hexadecimal or as a list of Kerberos encryption type names.
+ </para>
+ <para>
+ Specified values are ORed together bitwise, and those currently supported consist of:
+ </para><itemizedlist>
+ <listitem>
+ <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para>
+ <para>Known on Windows as Kerberos RC4 encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para>
+ <para>Known on Windows as Kerberos AES 128 bit encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para>
+ <para>Known on Windows as Kerberos AES 256 bit encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes256-cts-hmac-sha1-96-sk</constant>, <constant>aes256-cts-sk</constant>, <constant>0x20</constant>, or <constant>32</constant></para>
+ <para>Allow AES session keys. When this is set, it indicates to the KDC that AES session keys can be used, even when <constant>aes256-cts</constant> and <constant>aes128-cts</constant> are not set. This allows use of AES keys against hosts otherwise only configured with RC4 for ticket keys (which is the default).</para>
+ </listitem>
+</itemizedlist>
+
+</description>
+
+<value type="default">36<comment>equivalent to: rc4-hmac aes256-cts-hmac-sha1-96-sk</comment></value>
+</samba:parameter>
#include "tdb.h"
#include "librpc/gen_ndr/nbt.h"
#include "librpc/gen_ndr/dns.h"
+#include "librpc/gen_ndr/security.h"
#include "libds/common/roles.h"
#include "lib/util/samba_util.h"
#include "libcli/auth/ntlm_check.h"
return value_is_valid;
}
+bool handle_kdc_default_domain_supported_enctypes(struct loadparm_context *lp_ctx,
+ struct loadparm_service *service,
+ const char *pszParmValue, char **ptr)
+{
+ char **enctype_list = NULL;
+ char **enctype = NULL;
+ uint32_t result = 0;
+ bool ok = true;
+
+ enctype_list = str_list_make(NULL, pszParmValue, NULL);
+ if (enctype_list == NULL) {
+ DBG_ERR("OOM: failed to make string list from %s\n",
+ pszParmValue);
+ ok = false;
+ goto out;
+ }
+
+ for (enctype = enctype_list; *enctype != NULL; ++enctype) {
+ if (strwicmp(*enctype, "arcfour-hmac-md5") == 0 ||
+ strwicmp(*enctype, "rc4-hmac") == 0)
+ {
+ result |= KERB_ENCTYPE_RC4_HMAC_MD5;
+ }
+ else if (strwicmp(*enctype, "aes128-cts-hmac-sha1-96") == 0 ||
+ strwicmp(*enctype, "aes128-cts") == 0)
+ {
+ result |= KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96;
+ }
+ else if (strwicmp(*enctype, "aes256-cts-hmac-sha1-96") == 0 ||
+ strwicmp(*enctype, "aes256-cts") == 0)
+ {
+ result |= KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+ }
+ else if (strwicmp(*enctype, "aes256-cts-hmac-sha1-96-sk") == 0 ||
+ strwicmp(*enctype, "aes256-cts-sk") == 0)
+ {
+ result |= KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
+ }
+ else {
+ const char *bitstr = *enctype;
+ int base;
+ int error;
+ unsigned long bit;
+
+ /* See if the bit's specified in hexadecimal. */
+ if (bitstr[0] == '0' &&
+ (bitstr[1] == 'x' || bitstr[2] == 'X'))
+ {
+ base = 16;
+ bitstr += 2;
+ }
+ else {
+ base = 10;
+ }
+
+ bit = smb_strtoul(bitstr, NULL, base, &error, SMB_STR_FULL_STR_CONV);
+ if (error) {
+ DBG_ERR("WARNING: Ignoring invalid value '%s' "
+ "for parameter 'kdc default domain supported enctypes'\n",
+ *enctype);
+ ok = false;
+ } else {
+ result |= bit;
+ }
+ }
+ }
+
+ *(int *)ptr = result;
+out:
+ TALLOC_FREE(enctype_list);
+
+ return ok;
+}
+
static bool set_variable(TALLOC_CTX *mem_ctx, struct loadparm_service *service,
int parmnum, void *parm_ptr,
const char *pszParmName, const char *pszParmValue,
"rpc start on demand helpers",
"yes");
+ lpcfg_do_global_parameter(lp_ctx,
+ "kdc default domain supported enctypes",
+ "rc4-hmac aes256-cts-hmac-sha1-96-sk");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
git.samba.org / metze / samba-autobuild / .git / commitdiff