sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-03 01:18:10 +03:00
Code

kdc: warn if DES-only keys enforced on the account

Browse Source 
With MIT Kerberos 1.21+ DES is not available by default and will be
refused. This means userAccountFlags with UF_DES_KEYS_ONLY will result
in a likely authentication falure (unless allow_des=true is set in
krb5.conf).

Warn about such cases to give admins yet another chance to detect an
error in setting userAccountFlags.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Sat Aug 17 11:59:01 UTC 2024 on atb-devel-224
This commit is contained in:
Alexander Bokovoy 2024-08-16 11:24:12 +03:00
parent 31c9352099
commit 3d98048a5a
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
source4/kdc/db-glue.c
View File

@ -1741,6 +1741,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */ /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
if (userAccountControl & UF_USE_DES_KEY_ONLY) { if (userAccountControl & UF_USE_DES_KEY_ONLY) {
supported_enctypes &= ~ENC_ALL_TYPES; supported_enctypes &= ~ENC_ALL_TYPES;
DBG_NOTICE("DES-only keys allowed on the account '%s', "
"most likely auth will fail through Kerberos\n",
samAccountName);
} }
if (protected_user) { if (protected_user) {