diff options
author | Stefan Metzmacher <metze@samba.org> | 2017-05-19 16:01:55 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2017-07-13 20:01:27 +0200 |
commit | bfccba416eb0ee2194e20238199fbf331b8e95a2 (patch) | |
tree | 04054c2961d827e5947fbcb1493b0e9d0ec184a5 | |
parent | beb5f2bbb912ae9ae654bac35263160eb0c7ae53 (diff) | |
download | samba-bfccba416eb0ee2194e20238199fbf331b8e95a2.tar.gz |
s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback
The handling for per encryption type salts was removed in
Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone
has such an installation that got constantly upgraded over 10 years
with an automatic password change nor rejoin. It also means
that the KDC only has salt-less arcfour-hmac-md5 key together
with the salted des keys. So there would only be a problem
if the client whould try to use a des key to contact the smb server.
Having this legacy code adds quite some complexity for no
good reason.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 487b4717b58a6f1ba913708ce8419145b7f4fac8)
-rw-r--r-- | source3/libads/kerberos.c | 37 |
1 files changed, 4 insertions, 33 deletions
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index b4bd76894e1..ba2311bfc58 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -273,27 +273,6 @@ int ads_kdestroy(const char *cc_name) } /************************************************************************ - Routine to fetch the salting principal for a service. Active - Directory may use a non-obvious principal name to generate the salt - when it determines the key to use for encrypting tickets for a service, - and hopefully we detected that when we joined the domain. - ************************************************************************/ - -static char *kerberos_secrets_fetch_salting_principal(const char *service, int enctype) -{ - char *key = NULL; - char *ret = NULL; - - if (asprintf(&key, "%s/%s/enctype=%d", - SECRETS_SALTING_PRINCIPAL, service, enctype) == -1) { - return NULL; - } - ret = (char *)secrets_fetch(key, NULL); - SAFE_FREE(key); - return ret; -} - -/************************************************************************ Return the standard DES salt key ************************************************************************/ @@ -372,10 +351,8 @@ char* kerberos_secrets_fetch_des_salt( void ) } /************************************************************************ - Routine to get the salting principal for this service. This is - maintained for backwards compatibilty with releases prior to 3.0.24. - Since we store the salting principal string only at join, we may have - to look for the older tdb keys. Caller must free if return is not null. + Routine to get the salting principal for this service. + Caller must free if return is not null. ************************************************************************/ char *kerberos_fetch_salt_princ_for_host_princ(krb5_context context, @@ -387,14 +364,8 @@ char *kerberos_fetch_salt_princ_for_host_princ(krb5_context context, salt_princ_s = kerberos_secrets_fetch_des_salt(); if (salt_princ_s == NULL) { - - /* look under the old key. If this fails, just use the standard key */ - salt_princ_s = kerberos_secrets_fetch_salting_principal(host_princ_s, - enctype); - if (salt_princ_s == NULL) { - /* fall back to host/machine.realm@REALM */ - salt_princ_s = kerberos_standard_des_salt(); - } + /* fall back to host/machine.realm@REALM */ + salt_princ_s = kerberos_standard_des_salt(); } return salt_princ_s; |