}
#endif
+uint32_t kerberos_supported_encryption_types(void)
+{
+ uint32_t encryption_types = 0;
+
+ if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
+ lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG) {
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ encryption_types |= ENC_HMAC_SHA1_96_AES128;
+#endif
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ encryption_types |= ENC_HMAC_SHA1_96_AES256;
+#endif
+ }
+
+ if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
+ lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) {
+ encryption_types |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
+ }
+
+ return encryption_types;
+}
+
bool create_local_private_krb5_conf_for_domain(const char *realm,
const char *domain,
const char *sitename,
ctx->in.secure_channel_type = SEC_CHAN_WKSTA;
- ctx->in.desired_encryption_types = ENC_CRC32 |
- ENC_RSA_MD5 |
- ENC_RC4_HMAC_MD5;
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
- ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES128;
-#endif
-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
- ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES256;
-#endif
+ ctx->in.desired_encryption_types = kerberos_supported_encryption_types();
*r = ctx;
krb5_principal princ = NULL;
krb5_kvno kvno = 0; /* FIXME: fetch current vno from KDC ? */
NTSTATUS status;
+ uint32_t announced_enc_types;
+ uint32_t supported_enc_types;
if (!secrets_init()) {
DEBUG(1, (__location__ ": secrets_init failed\n"));
return KRB5_LIBOS_CANTREADPWD;
}
ct = &info->password->cleartext_blob;
-
+ {
+ const char *str = secrets_domain_info_string(frame, info, domain, false);
+ DBG_ERR("%s\n", str);
+ }
if (info->domain_info.dns_domain.string != NULL) {
realm = strupper_talloc(frame,
info->domain_info.dns_domain.string);
goto out;
}
+ /*
+ * we use the effective configured value
+ * instead of the one we stored on the domain controller.
+ */
+ announced_enc_types = info->supported_enc_types;
+ if (announced_enc_types == 0) {
+ announced_enc_types |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
+ if (lp_server_role() >= ROLE_ACTIVE_DIRECTORY_DC) {
+ /* DCs and RODCs comptuer accounts use AES */
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ announced_enc_types |= ENC_HMAC_SHA1_96_AES128;
+#endif
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ announced_enc_types |= ENC_HMAC_SHA1_96_AES256;
+#endif
+ }
+ }
+ supported_enc_types = kerberos_supported_encryption_types();
+ if (announced_enc_types != supported_enc_types) {
+ DBG_NOTICE("announced_enc_types[0x%08X] != "
+ "supported_enc_types[0x%08X]\n",
+ (unsigned)announced_enc_types,
+ (unsigned)supported_enc_types);
+ }
+
ret = fill_keytab_from_password(krbctx, *keytab,
princ, kvno,
info->password);
ENC_HMAC_SHA1_96_AES256);
}
+#if 0
+static void net_ads_enctype_secrets_update__enctypes(const char *domain,
+ const char *enctype_str)
+{
+// int enctypes = atoi(enctype_str);
+
+}
+#endif
+
static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv)
{
int ret = -1;
git.samba.org / metze / samba / wip.git / commitdiff