summaryrefslogtreecommitdiff
path: root/source4/kdc
diff options
context:
space:
mode:
Diffstat (limited to 'source4/kdc')
-rw-r--r--source4/kdc/db-glue.c53
1 files changed, 16 insertions, 37 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index b062282c28..215b2300ed 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -214,35 +214,34 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
uint16_t i;
uint16_t allocated_keys = 0;
int rodc_krbtgt_number = 0;
- uint32_t supported_enctypes;
+ uint32_t supported_enctypes
+ = ldb_msg_find_attr_as_uint(msg,
+ "msDS-SupportedEncryptionTypes",
+ 0);
if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
- /* KDCs (and KDCs on RODCs) use AES, but not DES */
- supported_enctypes = ENC_ALL_TYPES;
- supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
+ /* KDCs (and KDCs on RODCs) use AES */
+ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
} else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
/* DCs and RODCs comptuer accounts use AES */
- supported_enctypes = ENC_ALL_TYPES;
+ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
} else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT ||
(ent_type == SAMBA_KDC_ENT_TYPE_ANY)) {
/* for AS-REQ the client chooses the enc types it
* supports, and this will vary between computers a
- * user logs in from. However, some accounts may be
- * banned from using DES, so allow the default to be
- * overridden
+ * user logs in from.
*
* likewise for 'any' return as much as is supported,
* to export into a keytab */
- supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
- ENC_ALL_TYPES);
+ supported_enctypes = ENC_ALL_TYPES;
+ }
+
+ /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
+ if (userAccountControl & UF_USE_DES_KEY_ONLY) {
+ supported_enctypes = ENC_CRC32|ENC_RSA_MD5;
} else {
- /* However, if this is a TGS-REQ, then lock it down to
- * a reasonable guess as to what the server can decode
- * - we must use whatever is in
- * "msDS-SupportedEncryptionTypes", or the 'old' set
- * of keys (ie, what Windows 2000 supported) */
- supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
- ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5);
+ /* Otherwise, add in the default enc types */
+ supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
}
/* Is this the krbtgt or a RODC krbtgt */
@@ -255,26 +254,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
}
- /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
- if (userAccountControl & UF_USE_DES_KEY_ONLY) {
- /* However, this still won't allow use of DES, if we
- * were told not to by msDS-SupportedEncTypes */
- supported_enctypes &= ENC_CRC32|ENC_RSA_MD5;
- } else {
- switch (ent_type) {
- case SAMBA_KDC_ENT_TYPE_KRBTGT:
- case SAMBA_KDC_ENT_TYPE_TRUST:
- /* Unless a very special effort it made,
- * disallow trust tickets to be DES encrypted,
- * it's just too dangerous */
- supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
- break;
- default:
- break;
- /* No further restrictions */
- }
- }
-
entry_ex->entry.keys.val = NULL;
entry_ex->entry.keys.len = 0;