The Samba-Bugzilla – Attachment 8019 Details for
Bug 9272
net ads join does not provide AES keys in host keytab
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
v4-0-test patch
net_ads_join_does_not_provide_aes_keytypes.patch (text/plain), 4.29 KB, created by
Andreas Schneider
on 2012-10-09 12:37:54 UTC
(
hide
)
Description:
v4-0-test patch
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2012-10-09 12:37:54 UTC
Size:
4.29 KB
patch
obsolete
>From fd4d9b71377876d3d99392952634e0d40d8e5f5c Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 15 Dec 2011 18:12:41 +0100 >Subject: [PATCH 1/2] s3-krb5: use and request AES keys in kerberos > operations. > >Guenther > >(cherry picked from commit eae33e96fcaa456830862325b91579faf2a96213) >--- > lib/krb5_wrap/krb5_samba.c | 6 ++++++ > source3/libads/kerberos.c | 1 + > source3/libads/kerberos_keytab.c | 8 +++++++- > 3 files changed, 14 insertions(+), 1 deletion(-) > >diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c >index 1a5a710..8037337 100644 >--- a/lib/krb5_wrap/krb5_samba.c >+++ b/lib/krb5_wrap/krb5_samba.c >@@ -688,6 +688,12 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx, > ENCTYPE_ARCFOUR_HMAC, > ENCTYPE_DES_CBC_MD5, > ENCTYPE_DES_CBC_CRC, >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, >+#endif >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, >+#endif > ENCTYPE_NULL}; > > initialize_krb5_error_table(); >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index 1093d12..fd39394 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -870,6 +870,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, > goto done; > } > >+ /* FIXME: add aes here - gd */ > file_contents = talloc_asprintf(fname, > "[libdefaults]\n\tdefault_realm = %s\n" > "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c >index eb2603b..b7df50d 100644 >--- a/source3/libads/kerberos_keytab.c >+++ b/source3/libads/kerberos_keytab.c >@@ -263,9 +263,15 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) > krb5_keytab keytab = NULL; > krb5_data password; > krb5_kvno kvno; >- krb5_enctype enctypes[4] = { >+ krb5_enctype enctypes[6] = { > ENCTYPE_DES_CBC_CRC, > ENCTYPE_DES_CBC_MD5, >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, >+#endif >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, >+#endif > ENCTYPE_ARCFOUR_HMAC, > 0 > }; >-- >1.7.12.2 > > >From 6fed1bfc93be1e5cd4a040a5e9ae54557026ae7e Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Mon, 19 Dec 2011 10:52:58 +0100 >Subject: [PATCH 2/2] s3-kerberos: add aes enctypes to generated krb5.conf. > >Guenther > >(cherry picked from commit 06f3b1f0b0dcf9355a8d634cdb62f1f0a8ea4dbe) >--- > source3/libads/kerberos.c | 29 ++++++++++++++++++++++++----- > 1 file changed, 24 insertions(+), 5 deletions(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index fd39394..3183e26 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -831,6 +831,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, > int fd; > char *realm_upper = NULL; > bool result = false; >+ char *aes_enctypes = NULL; > > if (!lp_create_krb5_conf()) { > return false; >@@ -870,15 +871,33 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, > goto done; > } > >- /* FIXME: add aes here - gd */ >+ aes_enctypes = talloc_strdup(fname, ""); >+ if (aes_enctypes == NULL) { >+ goto done; >+ } >+ >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 "); >+ if (aes_enctypes == NULL) { >+ goto done; >+ } >+#endif >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes128-cts-hmac-sha1-96"); >+ if (aes_enctypes == NULL) { >+ goto done; >+ } >+#endif >+ > file_contents = talloc_asprintf(fname, > "[libdefaults]\n\tdefault_realm = %s\n" >- "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >- "\tdefault_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >- "\tpreferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" >+ "\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >+ "\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >+ "\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" > "[realms]\n\t%s = {\n" > "\t%s\t}\n", >- realm_upper, realm_upper, kdc_ip_string); >+ realm_upper, aes_enctypes, aes_enctypes, aes_enctypes, >+ realm_upper, kdc_ip_string); > > if (!file_contents) { > goto done; >-- >1.7.12.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8019">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review+
metze
:
review-
Actions:
View
Attachments on
bug 9272
:
8019
|
8020
|
8093
|
8094
|
8095
|
8096
|
8136
|
8137
|
8188
|
8189