From 29eb7e2488e2c55ceacb859a57836a08cbb7f8e8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 23 Mar 2022 13:07:29 +1300 Subject: [PATCH] s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys() By putting this in the caller we potentially allow samba_kdc_message2entry_keys() to be reused by a non-KDC caller. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher --- source4/kdc/db-glue.c | 101 ++++++++++++++++++++++-------------------- 1 file changed, 52 insertions(+), 49 deletions(-) diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 1ccf059c9cc..16efb8d27fb 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -574,17 +574,16 @@ fail: } static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, - struct samba_kdc_db_context *kdc_db_ctx, TALLOC_CTX *mem_ctx, const struct ldb_message *msg, - uint32_t rid, + bool is_krbtgt, bool is_rodc, uint32_t userAccountControl, enum samba_kdc_ent_type ent_type, unsigned flags, krb5_kvno requested_kvno, struct sdb_entry *entry, - bool is_protected, + const uint32_t supported_enctypes_in, uint32_t *supported_enctypes_out) { krb5_error_code ret = 0; @@ -599,7 +598,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, struct supplementalCredentialsPackage *scpk = NULL; struct package_PrimaryKerberosBlob _pkb; struct package_PrimaryKerberosCtr4 *pkb4 = NULL; - bool is_krbtgt = false; int krbtgt_number = 0; uint32_t current_kvno; uint32_t old_kvno = 0; @@ -610,49 +608,10 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, struct samba_kdc_user_keys old_keys = { .num_pkeys = 0, }; struct samba_kdc_user_keys older_keys = { .num_pkeys = 0, }; uint32_t available_enctypes = 0; - uint32_t supported_enctypes - = ldb_msg_find_attr_as_uint(msg, - "msDS-SupportedEncryptionTypes", - 0); + uint32_t supported_enctypes = supported_enctypes_in; + *supported_enctypes_out = 0; - if (rid == DOMAIN_RID_KRBTGT || is_rodc) { - bool enable_fast; - - /* KDCs (and KDCs on RODCs) use AES */ - supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; - is_krbtgt = true; - - enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx); - if (enable_fast) { - supported_enctypes |= ENC_FAST_SUPPORTED; - } - } else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) { - /* DCs and RODCs comptuer accounts use AES */ - supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; - } else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || - (ent_type == SAMBA_KDC_ENT_TYPE_ANY)) { - /* for AS-REQ the client chooses the enc types it - * supports, and this will vary between computers a - * user logs in from. - * - * likewise for 'any' return as much as is supported, - * to export into a keytab */ - supported_enctypes = ENC_ALL_TYPES; - } - - /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */ - if (userAccountControl & UF_USE_DES_KEY_ONLY) { - supported_enctypes = 0; - } else { - /* Otherwise, add in the default enc types */ - supported_enctypes |= ENC_RC4_HMAC_MD5; - } - - if (is_protected) { - supported_enctypes &= ~ENC_RC4_HMAC_MD5; - } - /* Is this the krbtgt or a RODC krbtgt */ if (is_rodc) { krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1); @@ -982,14 +941,18 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, krb5_error_code ret = 0; krb5_boolean is_computer = FALSE; struct samba_kdc_entry *p; - uint32_t supported_enctypes = 0; NTTIME acct_expiry; NTSTATUS status; bool protected_user = false; uint32_t rid; + bool is_krbtgt = false; bool is_rodc = false; struct ldb_message_element *objectclasses; struct ldb_val computer_val = data_blob_string_const("computer"); + uint32_t supported_enctypes + = ldb_msg_find_attr_as_uint(msg, + "msDS-SupportedEncryptionTypes", + 0); const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL); ZERO_STRUCTP(entry); @@ -1396,11 +1359,51 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, } } + if (rid == DOMAIN_RID_KRBTGT || is_rodc) { + bool enable_fast; + + is_krbtgt = true; + + /* KDCs (and KDCs on RODCs) use AES */ + supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; + + enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx); + if (enable_fast) { + supported_enctypes |= ENC_FAST_SUPPORTED; + } + } else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) { + /* DCs and RODCs comptuer accounts use AES */ + supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; + } else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT || + (ent_type == SAMBA_KDC_ENT_TYPE_ANY)) { + /* for AS-REQ the client chooses the enc types it + * supports, and this will vary between computers a + * user logs in from. + * + * likewise for 'any' return as much as is supported, + * to export into a keytab */ + supported_enctypes = ENC_ALL_TYPES; + } + + /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */ + if (userAccountControl & UF_USE_DES_KEY_ONLY) { + supported_enctypes = 0; + } else { + /* Otherwise, add in the default enc types */ + supported_enctypes |= ENC_RC4_HMAC_MD5; + } + + if (protected_user) { + supported_enctypes &= ~ENC_RC4_HMAC_MD5; + } + /* Get keys from the db */ - ret = samba_kdc_message2entry_keys(context, kdc_db_ctx, p, msg, - rid, is_rodc, userAccountControl, + ret = samba_kdc_message2entry_keys(context, p, msg, + is_krbtgt, is_rodc, + userAccountControl, ent_type, flags, kvno, entry, - protected_user, &supported_enctypes); + supported_enctypes, + &supported_enctypes); if (ret) { /* Could be bogus data in the entry, or out of memory */ goto out;