s4:kdc: make use of the 'kdc enable fast' option

This will useful to test against a KDC without FAST support
and find/prevent regressions.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit 2db7589d69abebad16b66d933114367f815d5fc3)

2 files changed, 13 insertions, 2 deletions

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 8d17038cfe6..bdadc1278c3 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -448,11 +448,15 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 	*supported_enctypes_out = 0;
 
 	if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
+		bool enable_fast;
+
 		/* KDCs (and KDCs on RODCs) use AES */
 		supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
 
-		/* KDCs support FAST */
-		supported_enctypes |= ENC_FAST_SUPPORTED;
+		enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx);
+		if (enable_fast) {
+			supported_enctypes |= ENC_FAST_SUPPORTED;
+		}
 	} else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
 		/* DCs and RODCs comptuer accounts use AES */
 		supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
index ddf3b649da2..0d2a410fc3b 100644
--- a/source4/kdc/kdc-heimdal.c
+++ b/source4/kdc/kdc-heimdal.c
@@ -423,6 +423,13 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd)
 	kdc_config->require_pac = true;
 
 	/*
+	 * By default we enable RFC6113/FAST support,
+	 * but we have an option to disable in order to
+	 * test against a KDC with FAST support.
+	 */
+	kdc_config->enable_fast = lpcfg_kdc_enable_fast(task->lp_ctx);
+
+	/*
 	 * Match Windows and RFC6113 and Windows but break older
 	 * Heimdal clients.
 	 */