summaryrefslogtreecommitdiffstats
path: root/source4/kdc
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-10-02 05:25:26 +1000
committerAndrew Bartlett <abartlet@samba.org>2010-10-02 09:11:37 +1000
commit7b9a6645b11dff64e04c2ddb0cabc9145c0f029f (patch)
tree79c64e3a1f29829d3f3b09d7dd4157769793c9e2 /source4/kdc
parenta82e3abc707ecaf68ee26828f11987d621ec1bb5 (diff)
downloadsamba-7b9a6645b11dff64e04c2ddb0cabc9145c0f029f.tar.gz
samba-7b9a6645b11dff64e04c2ddb0cabc9145c0f029f.tar.xz
samba-7b9a6645b11dff64e04c2ddb0cabc9145c0f029f.zip
s4-kdc Rework 'allowed encryption types' handling in the KDC
All DCs and all krbtgt servers are forced to use AES, regardless of the msDS-SecondaryKrbTgtNumber value. Andrew Bartlett
Diffstat (limited to 'source4/kdc')
-rw-r--r--source4/kdc/db-glue.c72
1 files changed, 44 insertions, 28 deletions
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 2f416c9ffa..581328d864 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -214,21 +214,38 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
uint16_t i;
uint16_t allocated_keys = 0;
int rodc_krbtgt_number = 0;
+ uint32_t supported_enctypes;
- /* Supported Enc for this entry */
- uint32_t supported_enctypes = ENC_ALL_TYPES; /* by default, we support all enc types */
-
- /* However, if this is a TGS-REQ, then lock it down to a
- * reasonable guess as to what the server can decode. The
- * krbtgt is special - default to use what is stored for the KDC */
- if (rid != DOMAIN_RID_KRBTGT && ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
- /* This is the standard set for a server that has not declared a msDS-SupportedEncryptionTypes */
- supported_enctypes = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
+ if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
+ /* KDCs (and KDCs on RODCs) use AES, but not DES */
+ supported_enctypes = ENC_ALL_TYPES;
+ supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
+ } else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
+ /* DCs and RODCs comptuer accounts use AES */
+ supported_enctypes = ENC_ALL_TYPES;
+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_CLIENT ||
+ (ent_type == SAMBA_KDC_ENT_TYPE_ANY)) {
+ /* for AS-REQ the client chooses the enc types it
+ * supports, and this will vary between computers a
+ * user logs in from. However, some accounts may be
+ * banned from using DES, so allow the default to be
+ * overridden
+ *
+ * likewise for 'any' return as much as is supported,
+ * to export into a keytab */
+ supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
+ ENC_ALL_TYPES);
+ } else {
+ /* However, if this is a TGS-REQ, then lock it down to
+ * a reasonable guess as to what the server can decode
+ * - we must use whatever is in
+ * "msDS-SupportedEncryptionTypes", or the 'old' set
+ * of keys (ie, what Windows 2000 supported) */
+ supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
+ ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5);
}
- supported_enctypes = ldb_msg_find_attr_as_uint(msg, "msDS-SupportedEncryptionTypes",
- supported_enctypes);
- /* Is this the krbtgt or a RODC */
+ /* Is this the krbtgt or a RODC krbtgt */
if (is_rodc) {
rodc_krbtgt_number = ldb_msg_find_attr_as_int(msg, "msDS-SecondaryKrbTgtNumber", -1);
@@ -237,26 +254,25 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
}
}
- if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
- /* Be double-sure never to use DES here */
- supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
- }
-
- switch (ent_type) {
- case SAMBA_KDC_ENT_TYPE_KRBTGT:
- case SAMBA_KDC_ENT_TYPE_TRUST:
- /* Disallow krbtgt and trust tickets to be DES encrypted, it's just too dangerous */
- supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
- break;
- default:
- break;
- /* No further restrictions */
- }
/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
if (userAccountControl & UF_USE_DES_KEY_ONLY) {
- /* However, don't allow use of DES, if we were told not to by msDS-SupportedEncTypes */
+ /* However, this still won't allow use of DES, if we
+ * were told not to by msDS-SupportedEncTypes */
supported_enctypes &= ENC_CRC32|ENC_RSA_MD5;
+ } else {
+ switch (ent_type) {
+ case SAMBA_KDC_ENT_TYPE_KRBTGT:
+ case SAMBA_KDC_ENT_TYPE_TRUST:
+ /* Unless a very special effort it made,
+ * disallow trust tickets to be DES encrypted,
+ * it's just too dangerous */
+ supported_enctypes &= ~(ENC_CRC32|ENC_RSA_MD5);
+ break;
+ default:
+ break;
+ /* No further restrictions */
+ }
}
entry_ex->entry.keys.val = NULL;