1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
samba-mirror/lib/krb5_wrap
Alexander Bokovoy 8e931fce12 Do not fail checksums for RFC8009 types
While Active Directory does not support yet RFC 8009 encryption and
checksum types, it is possible to verify these checksums when running
with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
domain controller which uses them by default.

[2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
  smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2023/06/16 21:51:04.924196,  2, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
  check_pac_checksum: Checksum Type 20 is not supported
[2023/06/16 21:51:04.924228,  5, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-04-08 03:00:39 +00:00
..
enctype_convert.c lib/krb5_wrap: prefer new enctyptes in ms_suptypes_to_ietf_enctypes() 2020-02-10 16:32:36 +00:00
gss_samba.c Restrict GSSAPI query to the krb5 mechanism 2020-09-30 20:45:23 +00:00
gss_samba.h
keytab_util.c krb5_wrap: remove unused code 2021-07-27 10:09:03 +00:00
krb5_errs.c krb5_wrap: map KRB5_REALM_UNKNOWN to NT_STATUS_NO_SUCH_DOMAIN 2020-02-10 17:59:34 +00:00
krb5_samba.c lib/krb5_wrap: Pull already_hashed case out of smb_krb5_kt_add_entry() 2024-03-14 22:06:39 +00:00
krb5_samba.h Do not fail checksums for RFC8009 types 2024-04-08 03:00:39 +00:00
wscript_build krb5_wrap: move source3/libads/krb5_errs.c to lib/krb5_wrap/krb5_errs.c 2020-02-10 16:32:37 +00:00
wscript_configure krb5: Detect support for krb5_const_pac type 2022-11-08 02:39:37 +00:00