From: Stefan Metzmacher Date: Thu, 17 Aug 2017 15:46:11 +0000 (+0200) Subject: more enctypes... X-Git-Url: http://git.samba.org/?p=metze%2Fsamba%2Fwip.git;a=commitdiff_plain;h=b87c8bc3a550e8ac0e7ca30d1a35ad112012332e more enctypes... --- diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index c8aa9191c7ee..bb6b91ee95e4 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -599,6 +599,28 @@ static char *get_enctypes(TALLOC_CTX *mem_ctx) } #endif +uint32_t kerberos_supported_encryption_types(void) +{ + uint32_t encryption_types = 0; + + if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || + lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG) { +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 + encryption_types |= ENC_HMAC_SHA1_96_AES128; +#endif +#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 + encryption_types |= ENC_HMAC_SHA1_96_AES256; +#endif + } + + if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || + lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) { + encryption_types |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; + } + + return encryption_types; +} + bool create_local_private_krb5_conf_for_domain(const char *realm, const char *domain, const char *sitename, diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h index f92cabd757eb..aac8d311b394 100644 --- a/source3/libads/kerberos_proto.h +++ b/source3/libads/kerberos_proto.h @@ -61,6 +61,7 @@ int kerberos_kinit_password(const char *principal, const char *password, int time_offset, const char *cache_name); +uint32_t kerberos_supported_encryption_types(void); bool create_local_private_krb5_conf_for_domain(const char *realm, const char *domain, const char *sitename, diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 27fc5135442c..5a0834520820 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -2361,15 +2361,7 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx, ctx->in.secure_channel_type = SEC_CHAN_WKSTA; - ctx->in.desired_encryption_types = ENC_CRC32 | - ENC_RSA_MD5 | - ENC_RC4_HMAC_MD5; -#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 - ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES128; -#endif -#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 - ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES256; -#endif + ctx->in.desired_encryption_types = kerberos_supported_encryption_types(); *r = ctx; diff --git a/source3/librpc/crypto/gse_krb5.c b/source3/librpc/crypto/gse_krb5.c index 172616ca3dc2..c64566f2d404 100644 --- a/source3/librpc/crypto/gse_krb5.c +++ b/source3/librpc/crypto/gse_krb5.c @@ -165,6 +165,8 @@ static krb5_error_code fill_mem_keytab_from_secrets(krb5_context krbctx, krb5_principal princ = NULL; krb5_kvno kvno = 0; /* FIXME: fetch current vno from KDC ? */ NTSTATUS status; + uint32_t announced_enc_types; + uint32_t supported_enc_types; if (!secrets_init()) { DEBUG(1, (__location__ ": secrets_init failed\n")); @@ -182,7 +184,10 @@ static krb5_error_code fill_mem_keytab_from_secrets(krb5_context krbctx, return KRB5_LIBOS_CANTREADPWD; } ct = &info->password->cleartext_blob; - + { + const char *str = secrets_domain_info_string(frame, info, domain, false); + DBG_ERR("%s\n", str); + } if (info->domain_info.dns_domain.string != NULL) { realm = strupper_talloc(frame, info->domain_info.dns_domain.string); @@ -257,6 +262,31 @@ static krb5_error_code fill_mem_keytab_from_secrets(krb5_context krbctx, goto out; } + /* + * we use the effective configured value + * instead of the one we stored on the domain controller. + */ + announced_enc_types = info->supported_enc_types; + if (announced_enc_types == 0) { + announced_enc_types |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; + if (lp_server_role() >= ROLE_ACTIVE_DIRECTORY_DC) { + /* DCs and RODCs comptuer accounts use AES */ +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 + announced_enc_types |= ENC_HMAC_SHA1_96_AES128; +#endif +#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 + announced_enc_types |= ENC_HMAC_SHA1_96_AES256; +#endif + } + } + supported_enc_types = kerberos_supported_encryption_types(); + if (announced_enc_types != supported_enc_types) { + DBG_NOTICE("announced_enc_types[0x%08X] != " + "supported_enc_types[0x%08X]\n", + (unsigned)announced_enc_types, + (unsigned)supported_enc_types); + } + ret = fill_keytab_from_password(krbctx, *keytab, princ, kvno, info->password); diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 1f055507ad72..ae2a03dbe978 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -3599,6 +3599,15 @@ static void net_ads_enctype_dump_enctypes(const char *username, ENC_HMAC_SHA1_96_AES256); } +#if 0 +static void net_ads_enctype_secrets_update__enctypes(const char *domain, + const char *enctype_str) +{ +// int enctypes = atoi(enctype_str); + +} +#endif + static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv) { int ret = -1;