s4:provision Add an msDS-SupportedEncryptionTypes entry to our DC

This ensures that our DC will use all the available encyption types.

(The KDC reads this entry to determine what the server supports)

Andrew Bartlett

3 files changed, 35 insertions, 2 deletions

diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 96c11a4ce1..7e3a7865d6 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -53,6 +53,9 @@ struct keytab_container {
 #define KRB5_KEY_DATA(k)	((k)->contents)
 #endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
 
+#define ENC_ALL_TYPES (ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5 |	\
+		       ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256)
+
 #ifndef HAVE_KRB5_SET_REAL_TIME
 krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
 #endif
diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c
index 4060b327af..6966762c14 100644
--- a/source4/dsdb/pydsdb.c
+++ b/source4/dsdb/pydsdb.c
@@ -24,7 +24,8 @@
 #include "lib/ldb/pyldb.h"
 #include "libcli/security/security.h"
 #include "librpc/ndr/libndr.h"
-
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
 /* FIXME: These should be in a header file somewhere, once we finish moving
  * away from SWIG .. */
 #define PyErr_LDB_OR_RAISE(py_ldb, ldb) \
@@ -578,4 +579,18 @@ void initdsdb(void)
 					   PyInt_FromLong(DS_DOMAIN_FUNCTION_2008));
 	PyModule_AddObject(m, "DS_DOMAIN_FUNCTION_2008_R2",
 					   PyInt_FromLong(DS_DOMAIN_FUNCTION_2008_R2));
+
+	/* Kerberos encryption type constants */
+	PyModule_AddObject(m, "ENC_ALL_TYPES",
+			   PyInt_FromLong(ENC_ALL_TYPES));
+	PyModule_AddObject(m, "ENC_CRC32",
+			   PyInt_FromLong(ENC_CRC32));
+	PyModule_AddObject(m, "ENC_RSA_MD5",
+			   PyInt_FromLong(ENC_RSA_MD5));
+	PyModule_AddObject(m, "ENC_RC4_HMAC_MD5",
+			   PyInt_FromLong(ENC_RC4_HMAC_MD5));
+	PyModule_AddObject(m, "ENC_HMAC_SHA1_96_AES128",
+			   PyInt_FromLong(ENC_HMAC_SHA1_96_AES128));
+	PyModule_AddObject(m, "ENC_HMAC_SHA1_96_AES256",
+			   PyInt_FromLong(ENC_HMAC_SHA1_96_AES256));
 }
diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 14615d0819..131d4ffd6c 100644
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -43,7 +43,7 @@ from samba.auth import system_session, admin_session
 import samba
 from samba import version, Ldb, substitute_var, valid_netbios_name
 from samba import check_all_substituted, read_and_sub_file, setup_file
-from samba.dsdb import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008_R2
+from samba.dsdb import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008_R2, ENC_ALL_TYPES
 from samba.dcerpc import security
 from samba.dcerpc.misc import SEC_CHAN_BDC, SEC_CHAN_WKSTA
 from samba.idmap import IDmapDB
@@ -1495,6 +1495,21 @@ def provision(setup_dir, logger, session_info,
                                 machinepass=machinepass,
                                 secure_channel_type=SEC_CHAN_BDC)
 
+            # Now set up the right msDS-SupportedEncryptionTypes into the DB
+            # In future, this might be determined from some configuration
+            kerberos_enctypes = str(ENC_ALL_TYPES)
+
+            try:
+                msg = ldb.Message(ldb.Dn(samdb, samdb.searchone("distinguishedName", expression="samAccountName=%s$" % names.netbiosname, scope=ldb.SCOPE_SUBTREE)))
+                msg["msDS-SupportedEncryptionTypes"] = ldb.MessageElement(elements=kerberos_enctypes, 
+                                                                          flags=ldb.FLAG_MOD_REPLACE, 
+                                                                          name="msDS-SupportedEncryptionTypes")
+                samdb.modify(msg)
+            except ldb.LdbError, (ldb.ERR_NO_SUCH_ATTRIBUTE, _):
+                # It might be that this attribute does not exist in this schema
+                pass
+
+
             if serverrole == "domain controller":
                 secretsdb_setup_dns(secrets_ldb, setup_path,
                                     paths.private_dir,