summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoseph Sutton <josephsutton@catalyst.net.nz>2021-12-24 16:59:12 +1300
committerJoseph Sutton <jsutton@samba.org>2022-01-19 20:50:35 +0000
commitcb382f7cddebabde3dac2b4bdb50d5b864463abf (patch)
tree8b641119c3e4bd3a41fe6a3ca936f42bac0e4182
parent6c2a97d3b29ba14ff43840f3c7b146960f0f1665 (diff)
downloadsamba-cb382f7cddebabde3dac2b4bdb50d5b864463abf.tar.gz
s4:kdc: Set supported enctypes in KDC entry
This allows us to return the supported enctypes to the client as PA-SUPPORTED-ENCTYPES padata. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r--source4/kdc/db-glue.c34
-rw-r--r--source4/kdc/samba_kdc.h1
2 files changed, 31 insertions, 4 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index bef8bd4f454..8d17038cfe6 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -424,7 +424,8 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
bool is_rodc,
uint32_t userAccountControl,
enum samba_kdc_ent_type ent_type,
- struct sdb_entry_ex *entry_ex)
+ struct sdb_entry_ex *entry_ex,
+ uint32_t *supported_enctypes_out)
{
krb5_error_code ret = 0;
enum ndr_err_code ndr_err;
@@ -444,10 +445,14 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
= ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes",
0);
+ *supported_enctypes_out = 0;
if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
/* KDCs (and KDCs on RODCs) use AES */
supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
+
+ /* KDCs support FAST */
+ supported_enctypes |= ENC_FAST_SUPPORTED;
} else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
/* DCs and RODCs comptuer accounts use AES */
supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
@@ -488,6 +493,9 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
ret = samba_kdc_set_random_keys(context,
kdc_db_ctx,
entry_ex);
+
+ *supported_enctypes_out = supported_enctypes;
+
goto out;
}
@@ -628,15 +636,19 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
entry_ex->entry.keys.len++;
+
+ *supported_enctypes_out |= ENC_RC4_HMAC_MD5;
}
if (pkb4) {
for (i=0; i < pkb4->num_keys; i++) {
struct sdb_key key = {};
+ uint32_t enctype_bit;
if (!pkb4->keys[i].value) continue;
- if (!(kerberos_enctype_to_bitmap(pkb4->keys[i].keytype) & supported_enctypes)) {
+ enctype_bit = kerberos_enctype_to_bitmap(pkb4->keys[i].keytype);
+ if (!(enctype_bit & supported_enctypes)) {
continue;
}
@@ -687,14 +699,18 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
entry_ex->entry.keys.len++;
+
+ *supported_enctypes_out |= enctype_bit;
}
} else if (pkb3) {
for (i=0; i < pkb3->num_keys; i++) {
struct sdb_key key = {};
+ uint32_t enctype_bit;
if (!pkb3->keys[i].value) continue;
- if (!(kerberos_enctype_to_bitmap(pkb3->keys[i].keytype) & supported_enctypes)) {
+ enctype_bit = kerberos_enctype_to_bitmap(pkb3->keys[i].keytype);
+ if (!(enctype_bit & supported_enctypes)) {
continue;
}
@@ -743,9 +759,16 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
entry_ex->entry.keys.val[entry_ex->entry.keys.len] = key;
entry_ex->entry.keys.len++;
+
+ *supported_enctypes_out |= enctype_bit;
}
}
+ /* Set FAST support bits */
+ *supported_enctypes_out |= supported_enctypes & (ENC_FAST_SUPPORTED |
+ ENC_COMPOUND_IDENTITY_SUPPORTED |
+ ENC_CLAIMS_SUPPORTED);
+
out:
if (ret != 0) {
entry_ex->entry.keys.len = 0;
@@ -838,6 +861,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
krb5_boolean is_computer = FALSE;
struct samba_kdc_entry *p;
+ uint32_t supported_enctypes = 0;
NTTIME acct_expiry;
NTSTATUS status;
@@ -1216,13 +1240,14 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
/* Get keys from the db */
ret = samba_kdc_message2entry_keys(context, kdc_db_ctx, p, msg,
rid, is_rodc, userAccountControl,
- ent_type, entry_ex);
+ ent_type, entry_ex, &supported_enctypes);
if (ret) {
/* Could be bogus data in the entry, or out of memory */
goto out;
}
p->msg = talloc_steal(p, msg);
+ p->supported_enctypes = supported_enctypes;
out:
if (ret != 0) {
@@ -1363,6 +1388,7 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
p->is_trust = true;
p->kdc_db_ctx = kdc_db_ctx;
p->realm_dn = realm_dn;
+ p->supported_enctypes = supported_enctypes;
talloc_set_destructor(p, samba_kdc_entry_destructor);
diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h
index 150729a01f3..a354f3e8db3 100644
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@@ -60,6 +60,7 @@ struct samba_kdc_entry {
bool is_rodc;
bool is_trust;
void *entry_ex;
+ uint32_t supported_enctypes;
};
extern struct hdb_method hdb_samba4_interface;