diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-08-10 08:25:02 +1000 |
|---|---|---|
| committer | Simo Sorce <idra@samba.org> | 2010-08-13 09:08:27 -0400 |
| commit | 71d80e6be0687ac7c2f3caab5e7b8caf400fe37e (patch) | |
| tree | a30d558e704bac324809908c55a93bc17cb0c436 /source3/configure.in | |
| parent | fff6fa72ffa7890cee516bd7e65b50bdb8daf51d (diff) | |
| download | samba-71d80e6be0687ac7c2f3caab5e7b8caf400fe37e.tar.gz samba-71d80e6be0687ac7c2f3caab5e7b8caf400fe37e.tar.bz2 samba-71d80e6be0687ac7c2f3caab5e7b8caf400fe37e.zip | |
s3-krb5 Only build ADS support if arcfour-hmac-md5 is available
Modern Kerberos implementations have either defines or enums for these
key types, which makes doing #ifdef difficult. This shows up in files
such as libnet_samsync_keytab.c, the bulk of which is not compiled on
current Fedora 12, for example.
The downside is that this makes Samba unconditionally depend on the
arcfour-hmac-md5 encryption type at build time. We will no longer
support libraries that only support the DES based encryption types.
However, the single-DES types that are supported in common with AD are
already painfully weak - so much so that they are disabled by default
in modern Kerberos libraries.
If not found, ADS support will not be compiled in.
This means that our 'net ads join' will no longer set the
ACB_USE_DES_KEY_ONLY flag, and we will always try to use
arcfour-hmac-md5.
A future improvement would be to remove the use of the DES encryption
types totally, but this would require that any ACB_USE_DES_KEY_ONLY
flag be removed from existing joins.
Andrew Bartlett
Signed-off-by: Simo Sorce <idra@samba.org>
Diffstat (limited to 'source3/configure.in')
| -rw-r--r-- | source3/configure.in | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/source3/configure.in b/source3/configure.in index 6b736712d8..b4564eec08 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -4040,6 +4040,7 @@ if test x"$with_ads_support" != x"no"; then [Whether the krb5_keyblock struct has a keyvalue property]) fi + found_arcfour_hmac=no AC_CACHE_CHECK([for ENCTYPE_ARCFOUR_HMAC_MD5], samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5,[ AC_TRY_COMPILE([#include <krb5.h>], @@ -4057,7 +4058,19 @@ if test x"$with_ads_support" != x"no"; then if test x"$samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC_MD5" = x"yes" -a\ x"$samba_cv_HAVE_KEYTYPE_ARCFOUR_56" = x"yes"; then AC_DEFINE(HAVE_ENCTYPE_ARCFOUR_HMAC_MD5,1, - [Whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type is available]) + [Whether the ENCTYPE_ARCFOUR_HMAC_MD5 key type definition is available]) + found_arcfour_hmac=yes + fi + AC_CACHE_CHECK([for ENCTYPE_ARCFOUR_HMAC], + samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC,[ + AC_TRY_COMPILE([#include <krb5.h>], + [krb5_enctype enctype; enctype = ENCTYPE_ARCFOUR_HMAC;], + samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC=yes, + samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC=no)]) + if test x"$samba_cv_HAVE_ENCTYPE_ARCFOUR_HMAC" = x"yes"; then + AC_DEFINE(HAVE_ENCTYPE_ARCFOUR_HMAC,1, + [Whether the ENCTYPE_ARCFOUR_HMAC key type definition is available]) + found_arcfour_hmac=yes fi AC_CACHE_CHECK([for AP_OPTS_USE_SUBKEY], @@ -4300,6 +4313,11 @@ if test x"$with_ads_support" != x"no"; then # NOTE: all tests should be done before this block! # # + if test x"$found_arcfour_hmac" != x"yes"; then + AC_MSG_WARN(arcfour-hmac-md5 encryption type not found in -lkrb5) + use_ads=no + fi + if test x"$ac_cv_lib_ext_krb5_krb5_mk_req_extended" != x"yes"; then AC_MSG_WARN(krb5_mk_req_extended not found in -lkrb5) use_ads=no |