From 322f27d7f7ef9f24a343bb7c41a52bf2c79f3af8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 17 Aug 2017 17:46:30 +0200 Subject: [PATCH] Revert "more enctypes..." This reverts commit f5cfd4aa8b4dfb442f1abfc61ef66cdb0b8cd09a. --- source3/libads/kerberos.c | 22 ---------------------- source3/libads/kerberos_proto.h | 1 - source3/libnet/libnet_join.c | 10 +++++++++- source3/librpc/crypto/gse_krb5.c | 32 +------------------------------- source3/utils/net_ads.c | 9 --------- 5 files changed, 10 insertions(+), 64 deletions(-) diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index bb6b91ee95e4..c8aa9191c7ee 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -599,28 +599,6 @@ static char *get_enctypes(TALLOC_CTX *mem_ctx) } #endif -uint32_t kerberos_supported_encryption_types(void) -{ - uint32_t encryption_types = 0; - - if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || - lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG) { -#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 - encryption_types |= ENC_HMAC_SHA1_96_AES128; -#endif -#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 - encryption_types |= ENC_HMAC_SHA1_96_AES256; -#endif - } - - if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || - lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) { - encryption_types |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; - } - - return encryption_types; -} - bool create_local_private_krb5_conf_for_domain(const char *realm, const char *domain, const char *sitename, diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h index aac8d311b394..f92cabd757eb 100644 --- a/source3/libads/kerberos_proto.h +++ b/source3/libads/kerberos_proto.h @@ -61,7 +61,6 @@ int kerberos_kinit_password(const char *principal, const char *password, int time_offset, const char *cache_name); -uint32_t kerberos_supported_encryption_types(void); bool create_local_private_krb5_conf_for_domain(const char *realm, const char *domain, const char *sitename, diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 5a0834520820..27fc5135442c 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -2361,7 +2361,15 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx, ctx->in.secure_channel_type = SEC_CHAN_WKSTA; - ctx->in.desired_encryption_types = kerberos_supported_encryption_types(); + ctx->in.desired_encryption_types = ENC_CRC32 | + ENC_RSA_MD5 | + ENC_RC4_HMAC_MD5; +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 + ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES128; +#endif +#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 + ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES256; +#endif *r = ctx; diff --git a/source3/librpc/crypto/gse_krb5.c b/source3/librpc/crypto/gse_krb5.c index c64566f2d404..172616ca3dc2 100644 --- a/source3/librpc/crypto/gse_krb5.c +++ b/source3/librpc/crypto/gse_krb5.c @@ -165,8 +165,6 @@ static krb5_error_code fill_mem_keytab_from_secrets(krb5_context krbctx, krb5_principal princ = NULL; krb5_kvno kvno = 0; /* FIXME: fetch current vno from KDC ? */ NTSTATUS status; - uint32_t announced_enc_types; - uint32_t supported_enc_types; if (!secrets_init()) { DEBUG(1, (__location__ ": secrets_init failed\n")); @@ -184,10 +182,7 @@ static krb5_error_code fill_mem_keytab_from_secrets(krb5_context krbctx, return KRB5_LIBOS_CANTREADPWD; } ct = &info->password->cleartext_blob; - { - const char *str = secrets_domain_info_string(frame, info, domain, false); - DBG_ERR("%s\n", str); - } + if (info->domain_info.dns_domain.string != NULL) { realm = strupper_talloc(frame, info->domain_info.dns_domain.string); @@ -262,31 +257,6 @@ static krb5_error_code fill_mem_keytab_from_secrets(krb5_context krbctx, goto out; } - /* - * we use the effective configured value - * instead of the one we stored on the domain controller. - */ - announced_enc_types = info->supported_enc_types; - if (announced_enc_types == 0) { - announced_enc_types |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; - if (lp_server_role() >= ROLE_ACTIVE_DIRECTORY_DC) { - /* DCs and RODCs comptuer accounts use AES */ -#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 - announced_enc_types |= ENC_HMAC_SHA1_96_AES128; -#endif -#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 - announced_enc_types |= ENC_HMAC_SHA1_96_AES256; -#endif - } - } - supported_enc_types = kerberos_supported_encryption_types(); - if (announced_enc_types != supported_enc_types) { - DBG_NOTICE("announced_enc_types[0x%08X] != " - "supported_enc_types[0x%08X]\n", - (unsigned)announced_enc_types, - (unsigned)supported_enc_types); - } - ret = fill_keytab_from_password(krbctx, *keytab, princ, kvno, info->password); diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index ae2a03dbe978..1f055507ad72 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -3599,15 +3599,6 @@ static void net_ads_enctype_dump_enctypes(const char *username, ENC_HMAC_SHA1_96_AES256); } -#if 0 -static void net_ads_enctype_secrets_update__enctypes(const char *domain, - const char *enctype_str) -{ -// int enctypes = atoi(enctype_str); - -} -#endif - static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv) { int ret = -1; -- 2.34.1