mirror of
https://github.com/samba-team/samba.git
synced 2025-01-08 21:18:16 +03:00
s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys()
By putting this in the caller we potentially allow samba_kdc_message2entry_keys() to be reused by a non-KDC caller. Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
parent
2340a9a44f
commit
29eb7e2488
@ -574,17 +574,16 @@ fail:
|
||||
}
|
||||
|
||||
static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
|
||||
struct samba_kdc_db_context *kdc_db_ctx,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const struct ldb_message *msg,
|
||||
uint32_t rid,
|
||||
bool is_krbtgt,
|
||||
bool is_rodc,
|
||||
uint32_t userAccountControl,
|
||||
enum samba_kdc_ent_type ent_type,
|
||||
unsigned flags,
|
||||
krb5_kvno requested_kvno,
|
||||
struct sdb_entry *entry,
|
||||
bool is_protected,
|
||||
const uint32_t supported_enctypes_in,
|
||||
uint32_t *supported_enctypes_out)
|
||||
{
|
||||
krb5_error_code ret = 0;
|
||||
@ -599,7 +598,6 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
|
||||
struct supplementalCredentialsPackage *scpk = NULL;
|
||||
struct package_PrimaryKerberosBlob _pkb;
|
||||
struct package_PrimaryKerberosCtr4 *pkb4 = NULL;
|
||||
bool is_krbtgt = false;
|
||||
int krbtgt_number = 0;
|
||||
uint32_t current_kvno;
|
||||
uint32_t old_kvno = 0;
|
||||
@ -610,49 +608,10 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
|
||||
struct samba_kdc_user_keys old_keys = { .num_pkeys = 0, };
|
||||
struct samba_kdc_user_keys older_keys = { .num_pkeys = 0, };
|
||||
uint32_t available_enctypes = 0;
|
||||
uint32_t supported_enctypes
|
||||
= ldb_msg_find_attr_as_uint(msg,
|
||||
"msDS-SupportedEncryptionTypes",
|
||||
0);
|
||||
uint32_t supported_enctypes = supported_enctypes_in;
|
||||
|
||||
*supported_enctypes_out = 0;
|
||||
|
||||
if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
|
||||
bool enable_fast;
|
||||
|
||||
/* KDCs (and KDCs on RODCs) use AES */
|
||||
supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
|
||||
is_krbtgt = true;
|
||||
|
||||
enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx);
|
||||
if (enable_fast) {
|
||||
supported_enctypes |= ENC_FAST_SUPPORTED;
|
||||
}
|
||||
} else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
|
||||
/* DCs and RODCs comptuer accounts use AES */
|
||||
supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
|
||||
} else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT ||
|
||||
(ent_type == SAMBA_KDC_ENT_TYPE_ANY)) {
|
||||
/* for AS-REQ the client chooses the enc types it
|
||||
* supports, and this will vary between computers a
|
||||
* user logs in from.
|
||||
*
|
||||
* likewise for 'any' return as much as is supported,
|
||||
* to export into a keytab */
|
||||
supported_enctypes = ENC_ALL_TYPES;
|
||||
}
|
||||
|
||||
/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
|
||||
if (userAccountControl & UF_USE_DES_KEY_ONLY) {
|
||||
supported_enctypes = 0;
|
||||
} else {
|
||||
/* Otherwise, add in the default enc types */
|
||||
supported_enctypes |= ENC_RC4_HMAC_MD5;
|
||||
}
|
||||
|
||||
if (is_protected) {
|
||||
supported_enctypes &= ~ENC_RC4_HMAC_MD5;
|
||||
}
|
||||
|
||||
/* Is this the krbtgt or a RODC krbtgt */
|
||||
if (is_rodc) {
|
||||
krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1);
|
||||
@ -982,14 +941,18 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
|
||||
krb5_error_code ret = 0;
|
||||
krb5_boolean is_computer = FALSE;
|
||||
struct samba_kdc_entry *p;
|
||||
uint32_t supported_enctypes = 0;
|
||||
NTTIME acct_expiry;
|
||||
NTSTATUS status;
|
||||
bool protected_user = false;
|
||||
uint32_t rid;
|
||||
bool is_krbtgt = false;
|
||||
bool is_rodc = false;
|
||||
struct ldb_message_element *objectclasses;
|
||||
struct ldb_val computer_val = data_blob_string_const("computer");
|
||||
uint32_t supported_enctypes
|
||||
= ldb_msg_find_attr_as_uint(msg,
|
||||
"msDS-SupportedEncryptionTypes",
|
||||
0);
|
||||
const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
|
||||
|
||||
ZERO_STRUCTP(entry);
|
||||
@ -1396,11 +1359,51 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
|
||||
}
|
||||
}
|
||||
|
||||
if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
|
||||
bool enable_fast;
|
||||
|
||||
is_krbtgt = true;
|
||||
|
||||
/* KDCs (and KDCs on RODCs) use AES */
|
||||
supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
|
||||
|
||||
enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx);
|
||||
if (enable_fast) {
|
||||
supported_enctypes |= ENC_FAST_SUPPORTED;
|
||||
}
|
||||
} else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
|
||||
/* DCs and RODCs comptuer accounts use AES */
|
||||
supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
|
||||
} else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT ||
|
||||
(ent_type == SAMBA_KDC_ENT_TYPE_ANY)) {
|
||||
/* for AS-REQ the client chooses the enc types it
|
||||
* supports, and this will vary between computers a
|
||||
* user logs in from.
|
||||
*
|
||||
* likewise for 'any' return as much as is supported,
|
||||
* to export into a keytab */
|
||||
supported_enctypes = ENC_ALL_TYPES;
|
||||
}
|
||||
|
||||
/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
|
||||
if (userAccountControl & UF_USE_DES_KEY_ONLY) {
|
||||
supported_enctypes = 0;
|
||||
} else {
|
||||
/* Otherwise, add in the default enc types */
|
||||
supported_enctypes |= ENC_RC4_HMAC_MD5;
|
||||
}
|
||||
|
||||
if (protected_user) {
|
||||
supported_enctypes &= ~ENC_RC4_HMAC_MD5;
|
||||
}
|
||||
|
||||
/* Get keys from the db */
|
||||
ret = samba_kdc_message2entry_keys(context, kdc_db_ctx, p, msg,
|
||||
rid, is_rodc, userAccountControl,
|
||||
ret = samba_kdc_message2entry_keys(context, p, msg,
|
||||
is_krbtgt, is_rodc,
|
||||
userAccountControl,
|
||||
ent_type, flags, kvno, entry,
|
||||
protected_user, &supported_enctypes);
|
||||
supported_enctypes,
|
||||
&supported_enctypes);
|
||||
if (ret) {
|
||||
/* Could be bogus data in the entry, or out of memory */
|
||||
goto out;
|
||||
|
Loading…
Reference in New Issue
Block a user