summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-11-16 21:01:22 +1100
committerAndrew Bartlett <abartlet@samba.org>2010-11-16 21:24:43 +0000
commitdeed2a935b0ebd615929e21ec423204d44ada067 (patch)
treec38b4dfca605607d91b36abff53a5ec8768af220 /source4
parentd451ac1f3ac7b391e3cb28dca8e665bf1e1beddd (diff)
downloadsamba-deed2a935b0ebd615929e21ec423204d44ada067.tar.gz
samba-deed2a935b0ebd615929e21ec423204d44ada067.tar.bz2
samba-deed2a935b0ebd615929e21ec423204d44ada067.zip
s4-kdc Rework supported encryption type logic to match Microsoft
Thanks to Hongwei Sun for the clear description of the algorithim involved. Importantly, it isn't possible to remove encryption types from the list, only to add them over the defaults (DES and arcfour-hmac-md5, and additional AES for DCs and RODCs). This changes the behaviour for entries with msDS-supportedEncryptionTypes: 0, which Angelos Oikonomopoulos reported finding set by ADUC when attempting to store cleartext passwords. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Nov 16 21:24:43 UTC 2010 on sn-devel-104
Diffstat (limited to 'source4')
-rw-r--r--source4/kdc/db-glue.c53
1 files changed, 16 insertions, 37 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index b062282c28..215b2300ed 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -214,35 +214,34 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
uint16_t i;
uint16_t allocated_keys = 0;
int rodc_krbtgt_number = 0;
- uint32_t supported_enctypes;
+ uint32_t supported_enctypes
+ = ldb_msg_find_attr_as_uint(msg,
+ "msDS-SupportedEncryptionTypes",
+ 0);
if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
- /* KDCs (and KDCs on RODCs) use AES, but not DES */
- supported_enctypes = ENC_ALL_TYPES;
- supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
+ /* KDCs (and KDCs on RODCs) use AES */
+ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
} else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
/* DCs and RODCs comptuer accounts use AES */
- supported_enctypes = ENC_ALL_TYPES;
+ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
} else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT ||
(ent_type == SAMBA_KDC_ENT_TYPE_ANY)) {
/* for AS-REQ the client chooses the enc types it
* supports, and this will vary between computers a
- * user logs in from. However, some accounts may be
- * banned from using DES, so allow the default to be
- * overridden
+ * user logs in from.
*
* likewise for 'any' return as much as is supported,
* to export into a keytab */
- supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
- ENC_ALL_TYPES);
+ supported_enctypes = ENC_ALL_TYPES;
+ }
+
+ /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
+ if (userAccountControl & UF_USE_DES_KEY_ONLY) {
+ supported_enctypes = ENC_CRC32|ENC_RSA_MD5;
} else {
- /* However, if this is a TGS-REQ, then lock it down to
- * a reasonable guess as to what the server can decode
- * - we must use whatever is in
- * "msDS-SupportedEncryptionTypes", or the 'old' set
- * of keys (ie, what Windows 2000 supported) */
- supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
- ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5);
+ /* Otherwise, add in the default enc types */
+ supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
}
/* Is this the krbtgt or a RODC krbtgt */
@@ -255,26 +254,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
}
- /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
- if (userAccountControl & UF_USE_DES_KEY_ONLY) {
- /* However, this still won't allow use of DES, if we
- * were told not to by msDS-SupportedEncTypes */
- supported_enctypes &= ENC_CRC32|ENC_RSA_MD5;
- } else {
- switch (ent_type) {
- case SAMBA_KDC_ENT_TYPE_KRBTGT:
- case SAMBA_KDC_ENT_TYPE_TRUST:
- /* Unless a very special effort it made,
- * disallow trust tickets to be DES encrypted,
- * it's just too dangerous */
- supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
- break;
- default:
- break;
- /* No further restrictions */
- }
- }
-
entry_ex->entry.keys.val = NULL;
entry_ex->entry.keys.len = 0;