summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-09-28 12:49:44 +1000
committerAndrew Bartlett <abartlet@samba.org>2010-09-29 04:23:07 +1000
commit85f7bce865e611c5d18b67a3f34723f7da7df92e (patch)
tree8671a43fb467ef08132d1630a387c3937150a10b
parent8b57482fa8bfff901c08dbfa4b722b291862c372 (diff)
downloadsamba-85f7bce865e611c5d18b67a3f34723f7da7df92e.tar.gz
samba-85f7bce865e611c5d18b67a3f34723f7da7df92e.tar.bz2
samba-85f7bce865e611c5d18b67a3f34723f7da7df92e.zip
s4-kdc Use msDS-SecondaryKrbTgtNumber to fill in the full KVNO
Andrew Bartlett
-rw-r--r--source4/auth/sam.c1
-rw-r--r--source4/kdc/db-glue.c19
2 files changed, 19 insertions, 1 deletions
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index bdbf6906a3..0f97a19596 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -36,6 +36,7 @@
"userPrincipalName", \
"servicePrincipalName", \
"msDS-KeyVersionNumber", \
+ "msDS-SecondaryKrbTgtNumber" \
"msDS-SupportedEncryptionTypes", \
"supplementalCredentials", \
\
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 68f1e4b88b..bad3253502 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -212,6 +212,8 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
uint16_t i;
uint16_t allocated_keys = 0;
+ int rodc_krbtgt_number = 0;
+ bool is_rodc = false;
/* Supported Enc for this entry */
uint32_t supported_enctypes = ENC_ALL_TYPES; /* by default, we support all enc types */
@@ -225,7 +227,19 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
}
supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
supported_enctypes);
- if (rid == DOMAIN_RID_KRBTGT) {
+ /* Is this the krbtgt or a RODC */
+
+ if (ldb_msg_find_element(msg, "msDS-SecondaryKrbTgtNumber")) {
+ is_rodc = true;
+
+ rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1);
+
+ if (rodc_krbtgt_number == -1) {
+ return EINVAL;
+ }
+ }
+
+ if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
/* Be double-sure never to use DES here */
supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
}
@@ -251,6 +265,9 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
entry_ex->entry.keys.len = 0;
entry_ex->entry.kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
+ if (is_rodc) {
+ entry_ex->entry.kvno |= (rodc_krbtgt_number << 16);
+ }
/* Get keys from the db */