From 307d8b2a90bb5e53563574abd912ac88928efcc0 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 27 Apr 2020 14:00:38 +0200
Subject: [PATCH 1/2] Add a test with old msDS-SupportedEncryptionTypes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354

Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 07399831794e28c7c2cf0140d0f1d1b5538b5f60)
---
 selftest/knownfail.d/old_enctypes       |  1 +
 source4/selftest/tests.py               |  2 +
 testprogs/blackbox/test_old_enctypes.sh | 68 +++++++++++++++++++++++++
 3 files changed, 71 insertions(+)
 create mode 100644 selftest/knownfail.d/old_enctypes
 create mode 100755 testprogs/blackbox/test_old_enctypes.sh

diff --git a/selftest/knownfail.d/old_enctypes b/selftest/knownfail.d/old_enctypes
new file mode 100644
index 00000000000..b8dde6f1f04
--- /dev/null
+++ b/selftest/knownfail.d/old_enctypes
@@ -0,0 +1 @@
+^samba4.blackbox.test_old_enctypes.Export keytab while old enctypes are supported\(fl2003dc:local\)
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 1d965c751a4..f88f064b713 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -464,6 +464,8 @@ plantestsuite("samba4.blackbox.net_rpc_user(ad_dc)", "ad_dc", [os.path.join(bbdi
 
 plantestsuite("samba4.blackbox.test_primary_group", "ad_dc:local", [os.path.join(bbdir, "test_primary_group.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX_ABS'])
 
+plantestsuite("samba4.blackbox.test_old_enctypes", "fl2003dc:local", [os.path.join(bbdir, "test_old_enctypes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$NETBIOSNAME', '$PREFIX_ABS'])
+
 if have_heimdal_support:
     for env in ["ad_dc_ntvfs", "ad_dc"]:
         plantestsuite("samba4.blackbox.pkinit", "%s:local" % env, [os.path.join(bbdir, "test_pkinit_heimdal.sh"), '$SERVER', 'pkinit', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX/%s' % env, "aes256-cts-hmac-sha1-96", smbclient4, configuration])
diff --git a/testprogs/blackbox/test_old_enctypes.sh b/testprogs/blackbox/test_old_enctypes.sh
new file mode 100755
index 00000000000..794a265940e
--- /dev/null
+++ b/testprogs/blackbox/test_old_enctypes.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+if [ $# -lt 5 ]; then
+cat <<EOF
+Usage: test_primary_group.sh SERVER USERNAME PASSWORD NETBIOSNAME PREFIX_ABS
+EOF
+exit 1;
+fi
+
+SERVER=$1
+USERNAME=$2
+PASSWORD=$3
+NETBIOSNAME=$4
+PREFIX_ABS=$5
+shift 5
+failed=0
+
+samba4bindir="$BINDIR"
+samba4srcdir="$SRCDIR/source4"
+
+samba_tool="$samba4bindir/samba-tool"
+
+ldbmodify="ldbmodify"
+if [ -x "$samba4bindir/ldbmodify" ]; then
+	ldbmodify="$samba4bindir/ldbmodify"
+fi
+
+ldbsearch="ldbsearch"
+if [ -x "$samba4bindir/ldbsearch" ]; then
+	ldbsearch="$samba4bindir/ldbsearch"
+fi
+
+. `dirname $0`/subunit.sh
+. `dirname $0`/common_test_fns.inc
+
+out="${PREFIX_ABS}/tmpldbsearch.out"
+$ldbsearch -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 sAMAccountName="$NETBIOSNAME\$" dn msDS-SupportedEncryptionTypes > $out
+testit_grep "find my dn" msDS-SupportedEncryptionTypes cat $out || failed=`expr $failed + 1`
+
+my_dn=$(cat $out | sed -n 's/^dn: //p')
+my_encs=$(cat $out | sed -n 's/^msDS-SupportedEncryptionTypes: //p')
+my_test_encs=`expr $my_encs + 3`
+
+ldif="${PREFIX_ABS}/tmpldbmodify.ldif"
+
+cat > $ldif <<EOF
+dn: $my_dn
+changetype: modify
+replace: msDS-SupportedEncryptionTypes
+msDS-SupportedEncryptionTypes: $my_test_encs
+EOF
+
+testit "Change msDS-SupportedEncryptionTypes to $my_test_encs" $VALGRIND $ldbmodify -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 < $ldif || failed=`expr $failed + 1`
+kt=${PREFIX_ABS}/tmp_host_out_keytab
+testit "Export keytab while old enctypes are supported" $samba_tool domain exportkeytab --principal=$NETBIOSNAME\$ $kt
+
+cat > $ldif <<EOF
+dn: $my_dn
+changetype: modify
+replace: msDS-SupportedEncryptionTypes
+msDS-SupportedEncryptionTypes: $my_encs
+EOF
+
+testit "Change msDS-SupportedEncryptionTypes back to $my_encs" $VALGRIND $ldbmodify -H ldap://$SERVER -U$USERNAME%$PASSWORD -d0 < $ldif || failed=`expr $failed + 1`
+
+rm -rf $kt $out $ldif
+
+exit $failed
-- 
2.25.4


From 651f7049e4177de3961feb5693390b7faea0460e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 23 Apr 2020 11:56:54 +0200
Subject: [PATCH 2/2] kdc:db-glue: ignore KRB5_PROG_ETYPE_NOSUPP also for
 Primary:Kerberos

Currently we only ignore KRB5_PROG_ETYPE_NOSUPP for
Primary:Kerberos-Newer-Keys, but not for Primary:Kerberos.

If a service account has msDS-SupportedEncryptionTypes: 31
and DES keys stored in Primary:Kerberos, we'll pass the
DES key to smb_krb5_keyblock_init_contents(), but may get
KRB5_PROG_ETYPE_NOSUPP.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14354

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jul 28 14:04:26 UTC 2020 on sn-devel-184

(cherry picked from commit 4baa7cc8e473f6b63316b4ae5db34796c0f864c3)
---
 selftest/knownfail.d/old_enctypes |  1 -
 source4/kdc/db-glue.c             | 18 ++++++++++++------
 2 files changed, 12 insertions(+), 7 deletions(-)
 delete mode 100644 selftest/knownfail.d/old_enctypes

diff --git a/selftest/knownfail.d/old_enctypes b/selftest/knownfail.d/old_enctypes
deleted file mode 100644
index b8dde6f1f04..00000000000
--- a/selftest/knownfail.d/old_enctypes
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.blackbox.test_old_enctypes.Export keytab while old enctypes are supported\(fl2003dc:local\)
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 023ae7b580d..d2a79920ab5 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -631,18 +631,18 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 							      pkb4->keys[i].value->data,
 							      pkb4->keys[i].value->length,
 							      &key.key);
-			if (ret == KRB5_PROG_ETYPE_NOSUPP) {
-				DEBUG(2,("Unsupported keytype ignored - type %u\n",
-					 pkb4->keys[i].keytype));
-				ret = 0;
-				continue;
-			}
 			if (ret) {
 				if (key.salt) {
 					smb_krb5_free_data_contents(context, &key.salt->salt);
 					free(key.salt);
 					key.salt = NULL;
 				}
+				if (ret == KRB5_PROG_ETYPE_NOSUPP) {
+					DEBUG(2,("Unsupported keytype ignored - type %u\n",
+						 pkb4->keys[i].keytype));
+					ret = 0;
+					continue;
+				}
 				goto out;
 			}
 
@@ -693,6 +693,12 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
 					free(key.salt);
 					key.salt = NULL;
 				}
+				if (ret == KRB5_PROG_ETYPE_NOSUPP) {
+					DEBUG(2,("Unsupported keytype ignored - type %u\n",
+						 pkb3->keys[i].keytype));
+					ret = 0;
+					continue;
+				}
 				goto out;
 			}
 
-- 
2.25.4