diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-03-09 12:39:07 +0100 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-03-14 14:27:13 +0000 |
commit | 4643536739464a1f1c49ca780ae34a1c8f6df360 (patch) | |
tree | 496783a7e625745ec3897b0f4d8c8d3584bd4072 | |
parent | 9aa78f15fd6f4796657246d09dab883a717de6f6 (diff) | |
download | samba-4643536739464a1f1c49ca780ae34a1c8f6df360.tar.gz |
s4:kdc: make use of the 'kdc enable fast' option
This will useful to test against a KDC without FAST support
and find/prevent regressions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit 2db7589d69abebad16b66d933114367f815d5fc3)
-rw-r--r-- | source4/kdc/db-glue.c | 8 | ||||
-rw-r--r-- | source4/kdc/kdc-heimdal.c | 7 |
2 files changed, 13 insertions, 2 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 8d17038cfe6..bdadc1278c3 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -448,11 +448,15 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, *supported_enctypes_out = 0; if (rid == DOMAIN_RID_KRBTGT || is_rodc) { + bool enable_fast; + /* KDCs (and KDCs on RODCs) use AES */ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; - /* KDCs support FAST */ - supported_enctypes |= ENC_FAST_SUPPORTED; + enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx); + if (enable_fast) { + supported_enctypes |= ENC_FAST_SUPPORTED; + } } else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) { /* DCs and RODCs comptuer accounts use AES */ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c index ddf3b649da2..0d2a410fc3b 100644 --- a/source4/kdc/kdc-heimdal.c +++ b/source4/kdc/kdc-heimdal.c @@ -423,6 +423,13 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd) kdc_config->require_pac = true; /* + * By default we enable RFC6113/FAST support, + * but we have an option to disable in order to + * test against a KDC with FAST support. + */ + kdc_config->enable_fast = lpcfg_kdc_enable_fast(task->lp_ctx); + + /* * Match Windows and RFC6113 and Windows but break older * Heimdal clients. */ |