s4-kdc Use msDS-SecondaryKrbTgtNumber to fill in the full KVNO

author Andrew Bartlett <abartlet@samba.org>

Tue, 28 Sep 2010 02:49:44 +0000 (12:49 +1000)

committer Andrew Bartlett <abartlet@samba.org>

Tue, 28 Sep 2010 18:23:07 +0000 (04:23 +1000)
author Andrew Bartlett <abartlet@samba.org>
Tue, 28 Sep 2010 02:49:44 +0000 (12:49 +1000)
committer Andrew Bartlett <abartlet@samba.org>
Tue, 28 Sep 2010 18:23:07 +0000 (04:23 +1000)
diff --git a/source4/auth/sam.c b/source4/auth/sam.c

index bdbf6906a35736babfc69c0df38c7c2199c1dbc3..0f97a1959649549f12e83385b50d1cc79e4a14be 100644 (file)
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -36,6 +36,7 @@
         "userPrincipalName",                    \
         "servicePrincipalName",                 \
         "msDS-KeyVersionNumber",                \
+       "msDS-SecondaryKrbTgtNumber"            \
         "msDS-SupportedEncryptionTypes",        \
         "supplementalCredentials",              \
                                                 \
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c

index 68f1e4b88bafafee045bb8b78358dbf2cb6f4c98..bad32535029db775a48c6cead47655cc2f3b63da 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -212,6 +212,8 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
         struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
         uint16_t i;
         uint16_t allocated_keys = 0;
+       int rodc_krbtgt_number = 0;
+       bool is_rodc = false;
  
         /* Supported Enc for this entry */
         uint32_t supported_enctypes = ENC_ALL_TYPES; /* by default, we support all enc types */
@@ -225,7 +227,19 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
         }
         supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
                                                         supported_enctypes);
-       if (rid == DOMAIN_RID_KRBTGT) {
+       /* Is this the krbtgt or a RODC */
+
+       if (ldb_msg_find_element(msg, "msDS-SecondaryKrbTgtNumber")) {
+               is_rodc = true;
+
+               rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1);
+
+               if (rodc_krbtgt_number == -1) {
+                       return EINVAL;
+               }
+       }
+
+       if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
                 /* Be double-sure never to use DES here */
                 supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
         }
@@ -251,6 +265,9 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
         entry_ex->entry.keys.len = 0;
  
         entry_ex->entry.kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
+       if (is_rodc) {
+               entry_ex->entry.kvno |= (rodc_krbtgt_number << 16);
+       }
  
         /* Get keys from the db */
author	Andrew Bartlett <abartlet@samba.org>
	Tue, 28 Sep 2010 02:49:44 +0000 (12:49 +1000)
committer	Andrew Bartlett <abartlet@samba.org>
	Tue, 28 Sep 2010 18:23:07 +0000 (04:23 +1000)
source4/auth/sam.c		patch \| blob \| history
source4/kdc/db-glue.c		patch \| blob \| history