Attachment 16202 Details for Bug 14479 – patch for 4.13

[patch] patch for 4.13

v4-13-test.patch (text/plain), 3.31 KB, created by Andreas Schneider on 2020-09-07 12:13:12 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andreas Schneider

Created: 2020-09-07 12:13:12 UTC

Size: 3.31 KB

patch

obsolete

>From 15a0ecf69099596834df610867135f1156822b48 Mon Sep 17 00:00:00 2001
>From: Andreas Schneider <asn@samba.org>
>Date: Thu, 3 Sep 2020 11:11:14 +0200
>Subject: [PATCH 1/3] s3:libads: Remove DES legacy types for Kerberos
>
>We already removed DES support for Kerberos in Samba 4.12.
>
>Signed-off-by: Andreas Schneider <asn@samba.org>
>Reviewed-by: Isaac Boukris <iboukris@samba.org>
>(cherry picked from commit 9cf1aecd73e011ad03ddb072760454379b3f0a32)
>---
> source3/libads/kerberos.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
>index 5959da919b0..53079bbb967 100644
>--- a/source3/libads/kerberos.c
>+++ b/source3/libads/kerberos.c
>@@ -594,7 +594,7 @@ static char *get_enctypes(TALLOC_CTX *mem_ctx)
> 
> 	if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
> 	    lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) {
>-		legacy_enctypes = "RC4-HMAC DES-CBC-CRC DES-CBC-MD5";
>+		legacy_enctypes = "RC4-HMAC";
> 	}
> 
> 	enctypes =
>-- 
>2.28.0
>
>
>From d206956d34ee0a0593f9b3cd37791ae163462c04 Mon Sep 17 00:00:00 2001
>From: Andreas Schneider <asn@samba.org>
>Date: Thu, 3 Sep 2020 11:45:33 +0200
>Subject: [PATCH 2/3] s3:libads: Only add RC4 if weak crypto is allowed
>
>Signed-off-by: Andreas Schneider <asn@samba.org>
>Reviewed-by: Isaac Boukris <iboukris@samba.org>
>(cherry picked from commit a5303967287cef0c3d0b653e2aca73d25d438cf7)
>---
> source3/libads/kerberos.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
>diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
>index 53079bbb967..15ed9e933d8 100644
>--- a/source3/libads/kerberos.c
>+++ b/source3/libads/kerberos.c
>@@ -592,8 +592,9 @@ static char *get_enctypes(TALLOC_CTX *mem_ctx)
> #endif
> 	}
> 
>-	if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
>-	    lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) {
>+	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_ALLOWED &&
>+	    (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
>+	     lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY)) {
> 		legacy_enctypes = "RC4-HMAC";
> 	}
> 
>-- 
>2.28.0
>
>
>From 51fe8431f95f15f76fd081d4716d88f3b0296c9f Mon Sep 17 00:00:00 2001
>From: Andreas Schneider <asn@samba.org>
>Date: Thu, 3 Sep 2020 13:49:33 +0200
>Subject: [PATCH 3/3] s3:libads: Also add a realm entry for the domain name
>
>This is required if we try to authenticate as Administrator@DOMAIN so it
>can find the KDC. This fixes 'net ads join' for ad_member_fips if we
>require Kerberos auth.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14479
>
>Signed-off-by: Andreas Schneider <asn@samba.org>
>Reviewed-by: Isaac Boukris <iboukris@samba.org>
>(cherry picked from commit 6444a743525532c70634e2dd4cacadce54ba2eab)
>---
> source3/libads/kerberos.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
>diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
>index 15ed9e933d8..03c7f35a44d 100644
>--- a/source3/libads/kerberos.c
>+++ b/source3/libads/kerberos.c
>@@ -726,11 +726,15 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
> 			    "\tdns_lookup_kdc = true\n\n"
> 			    "[realms]\n\t%s = {\n"
> 			    "%s\t}\n"
>+			    "\t%s = {\n"
>+			    "%s\t}\n"
> 			    "%s\n",
> 			    realm_upper,
> 			    enctypes,
> 			    realm_upper,
> 			    kdc_ip_string,
>+			    domain,
>+			    kdc_ip_string,
> 			    include_system_krb5);
> 
> 	if (!file_contents) {
>-- 
>2.28.0
>

Flags:

iboukris: review+

Actions: View

Attachments on bug 14479: 16202