}
#endif
-uint32_t kerberos_supported_encryption_types(void)
-{
- uint32_t encryption_types = 0;
-
- if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
- lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG) {
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
- encryption_types |= ENC_HMAC_SHA1_96_AES128;
-#endif
-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
- encryption_types |= ENC_HMAC_SHA1_96_AES256;
-#endif
- }
-
- if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
- lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) {
- encryption_types |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
- }
-
- return encryption_types;
-}
-
bool create_local_private_krb5_conf_for_domain(const char *realm,
const char *domain,
const char *sitename,
ctx->in.secure_channel_type = SEC_CHAN_WKSTA;
- ctx->in.desired_encryption_types = kerberos_supported_encryption_types();
+ ctx->in.desired_encryption_types = ENC_CRC32 |
+ ENC_RSA_MD5 |
+ ENC_RC4_HMAC_MD5;
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES128;
+#endif
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES256;
+#endif
*r = ctx;
krb5_principal princ = NULL;
krb5_kvno kvno = 0; /* FIXME: fetch current vno from KDC ? */
NTSTATUS status;
- uint32_t announced_enc_types;
- uint32_t supported_enc_types;
if (!secrets_init()) {
DEBUG(1, (__location__ ": secrets_init failed\n"));
return KRB5_LIBOS_CANTREADPWD;
}
ct = &info->password->cleartext_blob;
- {
- const char *str = secrets_domain_info_string(frame, info, domain, false);
- DBG_ERR("%s\n", str);
- }
+
if (info->domain_info.dns_domain.string != NULL) {
realm = strupper_talloc(frame,
info->domain_info.dns_domain.string);
goto out;
}
- /*
- * we use the effective configured value
- * instead of the one we stored on the domain controller.
- */
- announced_enc_types = info->supported_enc_types;
- if (announced_enc_types == 0) {
- announced_enc_types |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
- if (lp_server_role() >= ROLE_ACTIVE_DIRECTORY_DC) {
- /* DCs and RODCs comptuer accounts use AES */
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
- announced_enc_types |= ENC_HMAC_SHA1_96_AES128;
-#endif
-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
- announced_enc_types |= ENC_HMAC_SHA1_96_AES256;
-#endif
- }
- }
- supported_enc_types = kerberos_supported_encryption_types();
- if (announced_enc_types != supported_enc_types) {
- DBG_NOTICE("announced_enc_types[0x%08X] != "
- "supported_enc_types[0x%08X]\n",
- (unsigned)announced_enc_types,
- (unsigned)supported_enc_types);
- }
-
ret = fill_keytab_from_password(krbctx, *keytab,
princ, kvno,
info->password);
ENC_HMAC_SHA1_96_AES256);
}
-#if 0
-static void net_ads_enctype_secrets_update__enctypes(const char *domain,
- const char *enctype_str)
-{
-// int enctypes = atoi(enctype_str);
-
-}
-#endif
-
static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv)
{
int ret = -1;