1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys()

By putting this in the caller we potentially allow samba_kdc_message2entry_keys()
to be reused by a non-KDC caller.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andrew Bartlett 2022-03-23 13:07:29 +13:00 committed by Stefan Metzmacher
parent 2340a9a44f
commit 29eb7e2488

View File

@ -574,17 +574,16 @@ fail:
}
static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
struct samba_kdc_db_context *kdc_db_ctx,
TALLOC_CTX *mem_ctx,
const struct ldb_message *msg,
uint32_t rid,
bool is_krbtgt,
bool is_rodc,
uint32_t userAccountControl,
enum samba_kdc_ent_type ent_type,
unsigned flags,
krb5_kvno requested_kvno,
struct sdb_entry *entry,
bool is_protected,
const uint32_t supported_enctypes_in,
uint32_t *supported_enctypes_out)
{
krb5_error_code ret = 0;
@ -599,7 +598,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
struct supplementalCredentialsPackage *scpk = NULL;
struct package_PrimaryKerberosBlob _pkb;
struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
bool is_krbtgt = false;
int krbtgt_number = 0;
uint32_t current_kvno;
uint32_t old_kvno = 0;
@ -610,49 +608,10 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
struct samba_kdc_user_keys old_keys = { .num_pkeys = 0, };
struct samba_kdc_user_keys older_keys = { .num_pkeys = 0, };
uint32_t available_enctypes = 0;
uint32_t supported_enctypes
= ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes",
0);
uint32_t supported_enctypes = supported_enctypes_in;
*supported_enctypes_out = 0;
if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
bool enable_fast;
/* KDCs (and KDCs on RODCs) use AES */
supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
is_krbtgt = true;
enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx);
if (enable_fast) {
supported_enctypes |= ENC_FAST_SUPPORTED;
}
} else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
/* DCs and RODCs comptuer accounts use AES */
supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
} else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT ||
(ent_type == SAMBA_KDC_ENT_TYPE_ANY)) {
/* for AS-REQ the client chooses the enc types it
* supports, and this will vary between computers a
* user logs in from.
*
* likewise for 'any' return as much as is supported,
* to export into a keytab */
supported_enctypes = ENC_ALL_TYPES;
}
/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
if (userAccountControl & UF_USE_DES_KEY_ONLY) {
supported_enctypes = 0;
} else {
/* Otherwise, add in the default enc types */
supported_enctypes |= ENC_RC4_HMAC_MD5;
}
if (is_protected) {
supported_enctypes &= ~ENC_RC4_HMAC_MD5;
}
/* Is this the krbtgt or a RODC krbtgt */
if (is_rodc) {
krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1);
@ -982,14 +941,18 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
krb5_error_code ret = 0;
krb5_boolean is_computer = FALSE;
struct samba_kdc_entry *p;
uint32_t supported_enctypes = 0;
NTTIME acct_expiry;
NTSTATUS status;
bool protected_user = false;
uint32_t rid;
bool is_krbtgt = false;
bool is_rodc = false;
struct ldb_message_element *objectclasses;
struct ldb_val computer_val = data_blob_string_const("computer");
uint32_t supported_enctypes
= ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes",
0);
const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
ZERO_STRUCTP(entry);
@ -1396,11 +1359,51 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
}
}
if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
bool enable_fast;
is_krbtgt = true;
/* KDCs (and KDCs on RODCs) use AES */
supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx);
if (enable_fast) {
supported_enctypes |= ENC_FAST_SUPPORTED;
}
} else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
/* DCs and RODCs comptuer accounts use AES */
supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
} else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT ||
(ent_type == SAMBA_KDC_ENT_TYPE_ANY)) {
/* for AS-REQ the client chooses the enc types it
* supports, and this will vary between computers a
* user logs in from.
*
* likewise for 'any' return as much as is supported,
* to export into a keytab */
supported_enctypes = ENC_ALL_TYPES;
}
/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
if (userAccountControl & UF_USE_DES_KEY_ONLY) {
supported_enctypes = 0;
} else {
/* Otherwise, add in the default enc types */
supported_enctypes |= ENC_RC4_HMAC_MD5;
}
if (protected_user) {
supported_enctypes &= ~ENC_RC4_HMAC_MD5;
}
/* Get keys from the db */
ret = samba_kdc_message2entry_keys(context, kdc_db_ctx, p, msg,
rid, is_rodc, userAccountControl,
ret = samba_kdc_message2entry_keys(context, p, msg,
is_krbtgt, is_rodc,
userAccountControl,
ent_type, flags, kvno, entry,
protected_user, &supported_enctypes);
supported_enctypes,
&supported_enctypes);
if (ret) {
/* Could be bogus data in the entry, or out of memory */
goto out;