mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
906dbd0a4b
We need to take the value from the msDS-SupportedEncryptionTypes
attribute and only take the default if there's no value or
if the value is 0.
For krbtgt and DC accounts we need to force support for
ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits
in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is
completely ignored the hardcoded value is the default, so there's
no AES256-SK for krbtgt).
For UF_USE_DES_KEY_ONLY on the account we reset
the value to 0, these accounts are in fact disabled completely,
as they always result in KRB5KDC_ERR_ETYPE_NOSUPP.
Then we try to get all encryption keys marked in
supported_enctypes, and the available_enctypes
is a reduced set depending on what keys are
actually stored in the database.
We select the supported session key enctypes by the available
keys and in addition based on AES256-SK as well as the
"kdc force enable rc4 weak session keys" option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| auth | ||
| cldap_server | ||
| client | ||
| cluster | ||
| dns_server | ||
| dsdb | ||
| echo_server | ||
| include | ||
| kdc | ||
| ldap_server | ||
| lib | ||
| libcli | ||
| libnet | ||
| librpc | ||
| nbt_server | ||
| ntp_signd | ||
| ntvfs | ||
| param | ||
| rpc_server | ||
| samba | ||
| script | ||
| scripting | ||
| selftest | ||
| setup | ||
| smb_server | ||
| torture | ||
| utils | ||
| winbind | ||
| wrepl_server | ||
| .clang_complete | ||
| .valgrind_suppressions | ||
| wscript_build | ||