diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2021-12-24 16:59:12 +1300 |
|---|---|---|
| committer | Joseph Sutton <jsutton@samba.org> | 2022-01-19 20:50:35 +0000 |
| commit | cb382f7cddebabde3dac2b4bdb50d5b864463abf (patch) | |
| tree | 8b641119c3e4bd3a41fe6a3ca936f42bac0e4182 | |
| parent | 6c2a97d3b29ba14ff43840f3c7b146960f0f1665 (diff) | |
| download | samba-cb382f7cddebabde3dac2b4bdb50d5b864463abf.tar.gz | |
s4:kdc: Set supported enctypes in KDC entry
This allows us to return the supported enctypes to the client as
PA-SUPPORTED-ENCTYPES padata.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
| -rw-r--r-- | source4/kdc/db-glue.c | 34 | ||||
| -rw-r--r-- | source4/kdc/samba_kdc.h | 1 |
2 files changed, 31 insertions, 4 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index bef8bd4f454..8d17038cfe6 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -424,7 +424,8 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, bool is_rodc, uint32_t userAccountControl, enum samba_kdc_ent_type ent_type, - struct sdb_entry_ex *entry_ex) + struct sdb_entry_ex *entry_ex, + uint32_t *supported_enctypes_out) { krb5_error_code ret = 0; enum ndr_err_code ndr_err; @@ -444,10 +445,14 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes", 0); + *supported_enctypes_out = 0; if (rid == DOMAIN_RID_KRBTGT || is_rodc) { /* KDCs (and KDCs on RODCs) use AES */ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; + + /* KDCs support FAST */ + supported_enctypes |= ENC_FAST_SUPPORTED; } else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) { /* DCs and RODCs comptuer accounts use AES */ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; @@ -488,6 +493,9 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, ret = samba_kdc_set_random_keys(context, kdc_db_ctx, entry_ex); + + *supported_enctypes_out = supported_enctypes; + goto out; } @@ -628,15 +636,19 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key; entry_ex->entry.keys.len++; + + *supported_enctypes_out |= ENC_RC4_HMAC_MD5; } if (pkb4) { for (i=0; i < pkb4->num_keys; i++) { struct sdb_key key = {}; + uint32_t enctype_bit; if (!pkb4->keys[i].value) continue; - if (!(kerberos_enctype_to_bitmap(pkb4->keys[i].keytype) & supported_enctypes)) { + enctype_bit = kerberos_enctype_to_bitmap(pkb4->keys[i].keytype); + if (!(enctype_bit & supported_enctypes)) { continue; } @@ -687,14 +699,18 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key; entry_ex->entry.keys.len++; + + *supported_enctypes_out |= enctype_bit; } } else if (pkb3) { for (i=0; i < pkb3->num_keys; i++) { struct sdb_key key = {}; + uint32_t enctype_bit; if (!pkb3->keys[i].value) continue; - if (!(kerberos_enctype_to_bitmap(pkb3->keys[i].keytype) & supported_enctypes)) { + enctype_bit = kerberos_enctype_to_bitmap(pkb3->keys[i].keytype); + if (!(enctype_bit & supported_enctypes)) { continue; } @@ -743,9 +759,16 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key; entry_ex->entry.keys.len++; + + *supported_enctypes_out |= enctype_bit; } } + /* Set FAST support bits */ + *supported_enctypes_out |= supported_enctypes & (ENC_FAST_SUPPORTED | + ENC_COMPOUND_IDENTITY_SUPPORTED | + ENC_CLAIMS_SUPPORTED); + out: if (ret != 0) { entry_ex->entry.keys.len = 0; @@ -838,6 +861,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, krb5_boolean is_computer = FALSE; struct samba_kdc_entry *p; + uint32_t supported_enctypes = 0; NTTIME acct_expiry; NTSTATUS status; @@ -1216,13 +1240,14 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, /* Get keys from the db */ ret = samba_kdc_message2entry_keys(context, kdc_db_ctx, p, msg, rid, is_rodc, userAccountControl, - ent_type, entry_ex); + ent_type, entry_ex, &supported_enctypes); if (ret) { /* Could be bogus data in the entry, or out of memory */ goto out; } p->msg = talloc_steal(p, msg); + p->supported_enctypes = supported_enctypes; out: if (ret != 0) { @@ -1363,6 +1388,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, p->is_trust = true; p->kdc_db_ctx = kdc_db_ctx; p->realm_dn = realm_dn; + p->supported_enctypes = supported_enctypes; talloc_set_destructor(p, samba_kdc_entry_destructor); diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h index 150729a01f3..a354f3e8db3 100644 --- a/source4/kdc/samba_kdc.h +++ b/source4/kdc/samba_kdc.h @@ -60,6 +60,7 @@ struct samba_kdc_entry { bool is_rodc; bool is_trust; void *entry_ex; + uint32_t supported_enctypes; }; extern struct hdb_method hdb_samba4_interface; |