diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-06-28 23:14:23 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2010-06-29 16:59:22 +1000 |
| commit | 94637e5fe4724261f1cd5f48d8641e82f4b776ae (patch) | |
| tree | 464543f76ff008cd724ed44c207934c0cb5303dd | |
| parent | 30dc87dab98a864ea640fb1df693b6eb8df6a920 (diff) | |
| download | samba-94637e5fe4724261f1cd5f48d8641e82f4b776ae.tar.gz samba-94637e5fe4724261f1cd5f48d8641e82f4b776ae.tar.bz2 samba-94637e5fe4724261f1cd5f48d8641e82f4b776ae.zip | |
s4:provision Add an msDS-SupportedEncryptionTypes entry to our DC
This ensures that our DC will use all the available encyption types.
(The KDC reads this entry to determine what the server supports)
Andrew Bartlett
| -rw-r--r-- | source4/auth/kerberos/kerberos.h | 3 | ||||
| -rw-r--r-- | source4/dsdb/pydsdb.c | 17 | ||||
| -rw-r--r-- | source4/scripting/python/samba/provision.py | 17 |
3 files changed, 35 insertions, 2 deletions
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h index 96c11a4ce1..7e3a7865d6 100644 --- a/source4/auth/kerberos/kerberos.h +++ b/source4/auth/kerberos/kerberos.h @@ -53,6 +53,9 @@ struct keytab_container { #define KRB5_KEY_DATA(k) ((k)->contents) #endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */ +#define ENC_ALL_TYPES (ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5 | \ + ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256) + #ifndef HAVE_KRB5_SET_REAL_TIME krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds); #endif diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c index 4060b327af..6966762c14 100644 --- a/source4/dsdb/pydsdb.c +++ b/source4/dsdb/pydsdb.c @@ -24,7 +24,8 @@ #include "lib/ldb/pyldb.h" #include "libcli/security/security.h" #include "librpc/ndr/libndr.h" - +#include "system/kerberos.h" +#include "auth/kerberos/kerberos.h" /* FIXME: These should be in a header file somewhere, once we finish moving * away from SWIG .. */ #define PyErr_LDB_OR_RAISE(py_ldb, ldb) \ @@ -578,4 +579,18 @@ void initdsdb(void) PyInt_FromLong(DS_DOMAIN_FUNCTION_2008)); PyModule_AddObject(m, "DS_DOMAIN_FUNCTION_2008_R2", PyInt_FromLong(DS_DOMAIN_FUNCTION_2008_R2)); + + /* Kerberos encryption type constants */ + PyModule_AddObject(m, "ENC_ALL_TYPES", + PyInt_FromLong(ENC_ALL_TYPES)); + PyModule_AddObject(m, "ENC_CRC32", + PyInt_FromLong(ENC_CRC32)); + PyModule_AddObject(m, "ENC_RSA_MD5", + PyInt_FromLong(ENC_RSA_MD5)); + PyModule_AddObject(m, "ENC_RC4_HMAC_MD5", + PyInt_FromLong(ENC_RC4_HMAC_MD5)); + PyModule_AddObject(m, "ENC_HMAC_SHA1_96_AES128", + PyInt_FromLong(ENC_HMAC_SHA1_96_AES128)); + PyModule_AddObject(m, "ENC_HMAC_SHA1_96_AES256", + PyInt_FromLong(ENC_HMAC_SHA1_96_AES256)); } diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 14615d0819..131d4ffd6c 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -43,7 +43,7 @@ from samba.auth import system_session, admin_session import samba from samba import version, Ldb, substitute_var, valid_netbios_name from samba import check_all_substituted, read_and_sub_file, setup_file -from samba.dsdb import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008_R2 +from samba.dsdb import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008_R2, ENC_ALL_TYPES from samba.dcerpc import security from samba.dcerpc.misc import SEC_CHAN_BDC, SEC_CHAN_WKSTA from samba.idmap import IDmapDB @@ -1495,6 +1495,21 @@ def provision(setup_dir, logger, session_info, machinepass=machinepass, secure_channel_type=SEC_CHAN_BDC) + # Now set up the right msDS-SupportedEncryptionTypes into the DB + # In future, this might be determined from some configuration + kerberos_enctypes = str(ENC_ALL_TYPES) + + try: + msg = ldb.Message(ldb.Dn(samdb, samdb.searchone("distinguishedName", expression="samAccountName=%s$" % names.netbiosname, scope=ldb.SCOPE_SUBTREE))) + msg["msDS-SupportedEncryptionTypes"] = ldb.MessageElement(elements=kerberos_enctypes, + flags=ldb.FLAG_MOD_REPLACE, + name="msDS-SupportedEncryptionTypes") + samdb.modify(msg) + except ldb.LdbError, (ldb.ERR_NO_SUCH_ATTRIBUTE, _): + # It might be that this attribute does not exist in this schema + pass + + if serverrole == "domain controller": secretsdb_setup_dns(secrets_ldb, setup_path, paths.private_dir, |