From 7b9a6645b11dff64e04c2ddb0cabc9145c0f029f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 2 Oct 2010 05:25:26 +1000 Subject: s4-kdc Rework 'allowed encryption types' handling in the KDC All DCs and all krbtgt servers are forced to use AES, regardless of the msDS-SecondaryKrbTgtNumber value. Andrew Bartlett --- source4/kdc/db-glue.c | 72 +++++++++++++++++++++++++++++++-------------------- 1 file changed, 44 insertions(+), 28 deletions(-) (limited to 'source4/kdc/db-glue.c') diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 2f416c9ffa..581328d864 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -214,21 +214,38 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, uint16_t i; uint16_t allocated_keys = 0; int rodc_krbtgt_number = 0; + uint32_t supported_enctypes; - /* Supported Enc for this entry */ - uint32_t supported_enctypes = ENC_ALL_TYPES; /* by default, we support all enc types */ - - /* However, if this is a TGS-REQ, then lock it down to a - * reasonable guess as to what the server can decode. The - * krbtgt is special - default to use what is stored for the KDC */ - if (rid != DOMAIN_RID_KRBTGT && ent_type == SAMBA_KDC_ENT_TYPE_SERVER) { - /* This is the standard set for a server that has not declared a msDS-SupportedEncryptionTypes */ - supported_enctypes = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; + if (rid == DOMAIN_RID_KRBTGT || is_rodc) { + /* KDCs (and KDCs on RODCs) use AES, but not DES */ + supported_enctypes = ENC_ALL_TYPES; + supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5); + } else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) { + /* DCs and RODCs comptuer accounts use AES */ + supported_enctypes = ENC_ALL_TYPES; + } else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || + (ent_type == SAMBA_KDC_ENT_TYPE_ANY)) { + /* for AS-REQ the client chooses the enc types it + * supports, and this will vary between computers a + * user logs in from. However, some accounts may be + * banned from using DES, so allow the default to be + * overridden + * + * likewise for 'any' return as much as is supported, + * to export into a keytab */ + supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes", + ENC_ALL_TYPES); + } else { + /* However, if this is a TGS-REQ, then lock it down to + * a reasonable guess as to what the server can decode + * - we must use whatever is in + * "msDS-SupportedEncryptionTypes", or the 'old' set + * of keys (ie, what Windows 2000 supported) */ + supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes", + ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5); } - supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes", - supported_enctypes); - /* Is this the krbtgt or a RODC */ + /* Is this the krbtgt or a RODC krbtgt */ if (is_rodc) { rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1); @@ -237,26 +254,25 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, } } - if (rid == DOMAIN_RID_KRBTGT || is_rodc) { - /* Be double-sure never to use DES here */ - supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5); - } - - switch (ent_type) { - case SAMBA_KDC_ENT_TYPE_KRBTGT: - case SAMBA_KDC_ENT_TYPE_TRUST: - /* Disallow krbtgt and trust tickets to be DES encrypted, it's just too dangerous */ - supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5); - break; - default: - break; - /* No further restrictions */ - } /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */ if (userAccountControl & UF_USE_DES_KEY_ONLY) { - /* However, don't allow use of DES, if we were told not to by msDS-SupportedEncTypes */ + /* However, this still won't allow use of DES, if we + * were told not to by msDS-SupportedEncTypes */ supported_enctypes &= ENC_CRC32|ENC_RSA_MD5; + } else { + switch (ent_type) { + case SAMBA_KDC_ENT_TYPE_KRBTGT: + case SAMBA_KDC_ENT_TYPE_TRUST: + /* Unless a very special effort it made, + * disallow trust tickets to be DES encrypted, + * it's just too dangerous */ + supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5); + break; + default: + break; + /* No further restrictions */ + } } entry_ex->entry.keys.val = NULL; -- cgit