From 548169a3e20cd6ee4a5d9320b85b2dea4ffe0eea Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 23 Mar 2022 09:47:53 +1300 Subject: [PATCH] s4:kdc: Pass supported enctypes to samba_kdc_set_random_keys() We should not supprise the callers by returning more keys than we asked to filter by and avoids duplicating the protected_users logic within samba_kdc_set_fixed_keys(). Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andrew Bartlett Signed-off-by: Stefan Metzmacher --- source4/kdc/db-glue.c | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index a5e7cebab1b..115ef1c94b2 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -409,18 +409,12 @@ out: static int samba_kdc_set_random_keys(krb5_context context, - struct samba_kdc_db_context *kdc_db_ctx, - struct sdb_keys *keys, - bool is_protected) + uint32_t supported_enctypes, + struct sdb_keys *keys) { - uint32_t supported_enctypes = ENC_ALL_TYPES; struct ldb_val secret_val; uint8_t secretbuffer[32]; - if (is_protected) { - supported_enctypes &= ~ENC_RC4_HMAC_MD5; - } - /* * Fake keys until we have a better way to reject * non-pkinit requests. @@ -674,9 +668,8 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, if ((ent_type == SAMBA_KDC_ENT_TYPE_CLIENT) && (userAccountControl & UF_SMARTCARD_REQUIRED)) { ret = samba_kdc_set_random_keys(context, - kdc_db_ctx, - &entry->keys, - is_protected); + supported_enctypes, + &entry->keys); *supported_enctypes_out = supported_enctypes;