s4-kdc Rework supported encryption type logic to match Microsoft

Thanks to Hongwei Sun for the clear description of the algorithim
involved.  Importantly, it isn't possible to remove encryption types
from the list, only to add them over the defaults (DES and
arcfour-hmac-md5, and additional AES for DCs and RODCs).

This changes the behaviour for entries with
msDS-supportedEncryptionTypes: 0, which Angelos Oikonomopoulos
reported finding set by ADUC when attempting to store cleartext
passwords.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Tue Nov 16 21:24:43 UTC 2010 on sn-devel-104

1 files changed, 16 insertions, 37 deletions

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index b062282c28..215b2300ed 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -214,35 +214,34 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 	uint16_t i;
 	uint16_t allocated_keys = 0;
 	int rodc_krbtgt_number = 0;
-	uint32_t supported_enctypes;
+	uint32_t supported_enctypes
+		= ldb_msg_find_attr_as_uint(msg,
+					    "msDS-SupportedEncryptionTypes",
+					    0);
 
 	if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
-		/* KDCs (and KDCs on RODCs) use AES, but not DES */
-		supported_enctypes = ENC_ALL_TYPES;
-		supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
+		/* KDCs (and KDCs on RODCs) use AES */
+		supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
 	} else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
 		/* DCs and RODCs comptuer accounts use AES */
-		supported_enctypes = ENC_ALL_TYPES;
+		supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
 	} else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT ||
 		   (ent_type == SAMBA_KDC_ENT_TYPE_ANY)) {
 		/* for AS-REQ the client chooses the enc types it
 		 * supports, and this will vary between computers a
-		 * user logs in from.  However, some accounts may be
-		 * banned from using DES, so allow the default to be
-		 * overridden
+		 * user logs in from.
 		 *
 		 * likewise for 'any' return as much as is supported,
 		 * to export into a keytab */
-		supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
-							       ENC_ALL_TYPES);
+		supported_enctypes = ENC_ALL_TYPES;
+	}
+
+	/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
+	if (userAccountControl & UF_USE_DES_KEY_ONLY) {
+		supported_enctypes = ENC_CRC32|ENC_RSA_MD5;
 	} else {
-		/* However, if this is a TGS-REQ, then lock it down to
-		 * a reasonable guess as to what the server can decode
-		 * - we must use whatever is in
-		 * "msDS-SupportedEncryptionTypes", or the 'old' set
-		 * of keys (ie, what Windows 2000 supported) */
-		supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
-							       ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5);
+		/* Otherwise, add in the default enc types */
+		supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
 	}
 
 	/* Is this the krbtgt or a RODC krbtgt */
@@ -255,26 +254,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 	}
 
 
-	/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
-	if (userAccountControl & UF_USE_DES_KEY_ONLY) {
-		/* However, this still won't allow use of DES, if we
-		 * were told not to by msDS-SupportedEncTypes */
-		supported_enctypes &= ENC_CRC32|ENC_RSA_MD5;
-	} else {
-		switch (ent_type) {
-		case SAMBA_KDC_ENT_TYPE_KRBTGT:
-		case SAMBA_KDC_ENT_TYPE_TRUST:
-			/* Unless a very special effort it made,
-			 * disallow trust tickets to be DES encrypted,
-			 * it's just too dangerous */
-			supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
-			break;
-		default:
-			break;
-			/* No further restrictions */
-		}
-	}
-
 	entry_ex->entry.keys.val = NULL;
 	entry_ex->entry.keys.len = 0;