The Samba-Bugzilla – Attachment 16202 Details for
Bug 14479
The created krb5.conf for 'net ads join' doesn't have a domain entry
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.13
v4-13-test.patch (text/plain), 3.31 KB, created by
Andreas Schneider
on 2020-09-07 12:13:12 UTC
(
hide
)
Description:
patch for 4.13
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2020-09-07 12:13:12 UTC
Size:
3.31 KB
patch
obsolete
>From 15a0ecf69099596834df610867135f1156822b48 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 3 Sep 2020 11:11:14 +0200 >Subject: [PATCH 1/3] s3:libads: Remove DES legacy types for Kerberos > >We already removed DES support for Kerberos in Samba 4.12. > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Isaac Boukris <iboukris@samba.org> >(cherry picked from commit 9cf1aecd73e011ad03ddb072760454379b3f0a32) >--- > source3/libads/kerberos.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index 5959da919b0..53079bbb967 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -594,7 +594,7 @@ static char *get_enctypes(TALLOC_CTX *mem_ctx) > > if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || > lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) { >- legacy_enctypes = "RC4-HMAC DES-CBC-CRC DES-CBC-MD5"; >+ legacy_enctypes = "RC4-HMAC"; > } > > enctypes = >-- >2.28.0 > > >From d206956d34ee0a0593f9b3cd37791ae163462c04 Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 3 Sep 2020 11:45:33 +0200 >Subject: [PATCH 2/3] s3:libads: Only add RC4 if weak crypto is allowed > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Isaac Boukris <iboukris@samba.org> >(cherry picked from commit a5303967287cef0c3d0b653e2aca73d25d438cf7) >--- > source3/libads/kerberos.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index 53079bbb967..15ed9e933d8 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -592,8 +592,9 @@ static char *get_enctypes(TALLOC_CTX *mem_ctx) > #endif > } > >- if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || >- lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) { >+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_ALLOWED && >+ (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || >+ lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY)) { > legacy_enctypes = "RC4-HMAC"; > } > >-- >2.28.0 > > >From 51fe8431f95f15f76fd081d4716d88f3b0296c9f Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Thu, 3 Sep 2020 13:49:33 +0200 >Subject: [PATCH 3/3] s3:libads: Also add a realm entry for the domain name > >This is required if we try to authenticate as Administrator@DOMAIN so it >can find the KDC. This fixes 'net ads join' for ad_member_fips if we >require Kerberos auth. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14479 > >Signed-off-by: Andreas Schneider <asn@samba.org> >Reviewed-by: Isaac Boukris <iboukris@samba.org> >(cherry picked from commit 6444a743525532c70634e2dd4cacadce54ba2eab) >--- > source3/libads/kerberos.c | 4 ++++ > 1 file changed, 4 insertions(+) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index 15ed9e933d8..03c7f35a44d 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -726,11 +726,15 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, > "\tdns_lookup_kdc = true\n\n" > "[realms]\n\t%s = {\n" > "%s\t}\n" >+ "\t%s = {\n" >+ "%s\t}\n" > "%s\n", > realm_upper, > enctypes, > realm_upper, > kdc_ip_string, >+ domain, >+ kdc_ip_string, > include_system_krb5); > > if (!file_contents) { >-- >2.28.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
iboukris
:
review+
Actions:
View
Attachments on
bug 14479
: 16202