diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-06-28 23:14:23 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2010-06-29 16:59:22 +1000 |
| commit | 94637e5fe4724261f1cd5f48d8641e82f4b776ae (patch) | |
| tree | 464543f76ff008cd724ed44c207934c0cb5303dd /source4/scripting | |
| parent | 30dc87dab98a864ea640fb1df693b6eb8df6a920 (diff) | |
| download | samba-94637e5fe4724261f1cd5f48d8641e82f4b776ae.tar.gz samba-94637e5fe4724261f1cd5f48d8641e82f4b776ae.tar.bz2 samba-94637e5fe4724261f1cd5f48d8641e82f4b776ae.zip | |
s4:provision Add an msDS-SupportedEncryptionTypes entry to our DC
This ensures that our DC will use all the available encyption types.
(The KDC reads this entry to determine what the server supports)
Andrew Bartlett
Diffstat (limited to 'source4/scripting')
| -rw-r--r-- | source4/scripting/python/samba/provision.py | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py index 14615d0819..131d4ffd6c 100644 --- a/source4/scripting/python/samba/provision.py +++ b/source4/scripting/python/samba/provision.py @@ -43,7 +43,7 @@ from samba.auth import system_session, admin_session import samba from samba import version, Ldb, substitute_var, valid_netbios_name from samba import check_all_substituted, read_and_sub_file, setup_file -from samba.dsdb import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008_R2 +from samba.dsdb import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008_R2, ENC_ALL_TYPES from samba.dcerpc import security from samba.dcerpc.misc import SEC_CHAN_BDC, SEC_CHAN_WKSTA from samba.idmap import IDmapDB @@ -1495,6 +1495,21 @@ def provision(setup_dir, logger, session_info, machinepass=machinepass, secure_channel_type=SEC_CHAN_BDC) + # Now set up the right msDS-SupportedEncryptionTypes into the DB + # In future, this might be determined from some configuration + kerberos_enctypes = str(ENC_ALL_TYPES) + + try: + msg = ldb.Message(ldb.Dn(samdb, samdb.searchone("distinguishedName", expression="samAccountName=%s$" % names.netbiosname, scope=ldb.SCOPE_SUBTREE))) + msg["msDS-SupportedEncryptionTypes"] = ldb.MessageElement(elements=kerberos_enctypes, + flags=ldb.FLAG_MOD_REPLACE, + name="msDS-SupportedEncryptionTypes") + samdb.modify(msg) + except ldb.LdbError, (ldb.ERR_NO_SUCH_ATTRIBUTE, _): + # It might be that this attribute does not exist in this schema + pass + + if serverrole == "domain controller": secretsdb_setup_dns(secrets_ldb, setup_path, paths.private_dir, |