summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/auth/sam.c1
-rw-r--r--source4/kdc/db-glue.c19
2 files changed, 19 insertions, 1 deletions
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index bdbf6906a3..0f97a19596 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -36,6 +36,7 @@
"userPrincipalName", \
"servicePrincipalName", \
"msDS-KeyVersionNumber", \
+ "msDS-SecondaryKrbTgtNumber" \
"msDS-SupportedEncryptionTypes", \
"supplementalCredentials", \
\
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 68f1e4b88b..bad3253502 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -212,6 +212,8 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
uint16_t i;
uint16_t allocated_keys = 0;
+ int rodc_krbtgt_number = 0;
+ bool is_rodc = false;
/* Supported Enc for this entry */
uint32_t supported_enctypes = ENC_ALL_TYPES; /* by default, we support all enc types */
@@ -225,7 +227,19 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
}
supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
supported_enctypes);
- if (rid == DOMAIN_RID_KRBTGT) {
+ /* Is this the krbtgt or a RODC */
+
+ if (ldb_msg_find_element(msg, "msDS-SecondaryKrbTgtNumber")) {
+ is_rodc = true;
+
+ rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1);
+
+ if (rodc_krbtgt_number == -1) {
+ return EINVAL;
+ }
+ }
+
+ if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
/* Be double-sure never to use DES here */
supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
}
@@ -251,6 +265,9 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
entry_ex->entry.keys.len = 0;
entry_ex->entry.kvno = ldb_msg_find_attr_as_int(msg, "msDS-KeyVersionNumber", 0);
+ if (is_rodc) {
+ entry_ex->entry.kvno |= (rodc_krbtgt_number << 16);
+ }
/* Get keys from the db */