The Samba-Bugzilla – Attachment 8020 Details for
Bug 9272
net ads join does not provide AES keys in host keytab
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
v3-6-test patch
net_ads_join_does_not_provide_aes_keytypes.patch (text/plain), 4.28 KB, created by
Andreas Schneider
on 2012-10-09 12:39:33 UTC
(
hide
)
Description:
v3-6-test patch
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2012-10-09 12:39:33 UTC
Size:
4.28 KB
patch
obsolete
>From cba208db96261c7b21fed7ee396af7df4837f3e1 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 15 Dec 2011 18:12:41 +0100 >Subject: [PATCH 1/2] s3-krb5: use and request AES keys in kerberos > operations. > >Guenther > >(cherry picked from commit eae33e96fcaa456830862325b91579faf2a96213) >--- > source3/libads/kerberos.c | 1 + > source3/libads/kerberos_keytab.c | 8 +++++++- > source3/libsmb/clikrb5.c | 6 ++++++ > 3 files changed, 14 insertions(+), 1 deletion(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index d496ade..a9da2d6 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -887,6 +887,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, > goto done; > } > >+ /* FIXME: add aes here - gd */ > file_contents = talloc_asprintf(fname, > "[libdefaults]\n\tdefault_realm = %s\n" > "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c >index 721a8c6..badce3e 100644 >--- a/source3/libads/kerberos_keytab.c >+++ b/source3/libads/kerberos_keytab.c >@@ -261,9 +261,15 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) > krb5_keytab keytab = NULL; > krb5_data password; > krb5_kvno kvno; >- krb5_enctype enctypes[4] = { >+ krb5_enctype enctypes[6] = { > ENCTYPE_DES_CBC_CRC, > ENCTYPE_DES_CBC_MD5, >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, >+#endif >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, >+#endif > ENCTYPE_ARCFOUR_HMAC, > 0 > }; >diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c >index 7958205..59e1fa5 100644 >--- a/source3/libsmb/clikrb5.c >+++ b/source3/libsmb/clikrb5.c >@@ -868,6 +868,12 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx, > ENCTYPE_ARCFOUR_HMAC, > ENCTYPE_DES_CBC_MD5, > ENCTYPE_DES_CBC_CRC, >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, >+#endif >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, >+#endif > ENCTYPE_NULL}; > > initialize_krb5_error_table(); >-- >1.7.12.2 > > >From 26043039862cd530f51015fc070a596b31408976 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Mon, 19 Dec 2011 10:52:58 +0100 >Subject: [PATCH 2/2] s3-kerberos: add aes enctypes to generated krb5.conf. > >Guenther > >(cherry picked from commit 06f3b1f0b0dcf9355a8d634cdb62f1f0a8ea4dbe) >--- > source3/libads/kerberos.c | 29 ++++++++++++++++++++++++----- > 1 file changed, 24 insertions(+), 5 deletions(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index a9da2d6..6b8f247 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -850,6 +850,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, > int fd; > char *realm_upper = NULL; > bool result = false; >+ char *aes_enctypes = NULL; > > if (!lp_create_krb5_conf()) { > return false; >@@ -887,15 +888,33 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, > goto done; > } > >- /* FIXME: add aes here - gd */ >+ aes_enctypes = talloc_strdup(fname, ""); >+ if (aes_enctypes == NULL) { >+ goto done; >+ } >+ >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 "); >+ if (aes_enctypes == NULL) { >+ goto done; >+ } >+#endif >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes128-cts-hmac-sha1-96"); >+ if (aes_enctypes == NULL) { >+ goto done; >+ } >+#endif >+ > file_contents = talloc_asprintf(fname, > "[libdefaults]\n\tdefault_realm = %s\n" >- "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >- "\tdefault_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >- "\tpreferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" >+ "\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >+ "\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >+ "\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" > "[realms]\n\t%s = {\n" > "\t%s\t}\n", >- realm_upper, realm_upper, kdc_ip_string); >+ realm_upper, aes_enctypes, aes_enctypes, aes_enctypes, >+ realm_upper, kdc_ip_string); > > if (!file_contents) { > goto done; >-- >1.7.12.2 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
metze
:
review-
Actions:
View
Attachments on
bug 9272
:
8019
|
8020
|
8093
|
8094
|
8095
|
8096
|
8136
|
8137
|
8188
|
8189