mirror of
https://github.com/samba-team/samba.git
synced 2025-01-12 09:18:10 +03:00
fde745ec34
We need to take the value from the msDS-SupportedEncryptionTypes attribute and only take the default if there's no value or if the value is 0. For krbtgt and DC accounts we need to force support for ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is completely ignored the hardcoded value is the default, so there's no AES256-SK for krbtgt). For UF_USE_DES_KEY_ONLY on the account we reset the value to 0, these accounts are in fact disabled completely, as they always result in KRB5KDC_ERR_ETYPE_NOSUPP. Then we try to get all encryption keys marked in supported_enctypes, and the available_enctypes is a reduced set depending on what keys are actually stored in the database. We select the supported session key enctypes by the available keys and in addition based on AES256-SK as well as the "kdc force enable rc4 weak session keys" option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> |
||
|---|---|---|
| .. | ||
| auth | ||
| cldap_server | ||
| client | ||
| cluster | ||
| dns_server | ||
| dsdb | ||
| echo_server | ||
| include | ||
| kdc | ||
| ldap_server | ||
| lib | ||
| libcli | ||
| libnet | ||
| librpc | ||
| nbt_server | ||
| ntp_signd | ||
| ntvfs | ||
| param | ||
| rpc_server | ||
| samba | ||
| script | ||
| scripting | ||
| selftest | ||
| setup | ||
| smb_server | ||
| torture | ||
| utils | ||
| winbind | ||
| wrepl_server | ||
| .clang_complete | ||
| .valgrind_suppressions | ||
| wscript_build | ||