The Samba-Bugzilla – Attachment 8136 Details for
Bug 9272
net ads join does not provide AES keys in host keytab
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-0-test
tmp40.diff (text/plain), 5.61 KB, created by
Stefan Metzmacher
on 2012-11-02 10:18:35 UTC
(
hide
)
Description:
Patches for v4-0-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2012-11-02 10:18:35 UTC
Size:
5.61 KB
patch
obsolete
>From ed79eda35350606467e932a5d14b1c9436884273 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 15 Dec 2011 18:12:41 +0100 >Subject: [PATCH 1/3] s3-krb5: use and request AES keys in kerberos > operations. > >Guenther >--- > lib/krb5_wrap/krb5_samba.c | 6 ++++++ > source3/libads/kerberos.c | 1 + > source3/libads/kerberos_keytab.c | 8 +++++++- > 3 files changed, 14 insertions(+), 1 deletion(-) > >diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c >index 1a5a710..8037337 100644 >--- a/lib/krb5_wrap/krb5_samba.c >+++ b/lib/krb5_wrap/krb5_samba.c >@@ -688,6 +688,12 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx, > ENCTYPE_ARCFOUR_HMAC, > ENCTYPE_DES_CBC_MD5, > ENCTYPE_DES_CBC_CRC, >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, >+#endif >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, >+#endif > ENCTYPE_NULL}; > > initialize_krb5_error_table(); >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index 1093d12..fd39394 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -870,6 +870,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, > goto done; > } > >+ /* FIXME: add aes here - gd */ > file_contents = talloc_asprintf(fname, > "[libdefaults]\n\tdefault_realm = %s\n" > "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c >index eb2603b..b7df50d 100644 >--- a/source3/libads/kerberos_keytab.c >+++ b/source3/libads/kerberos_keytab.c >@@ -263,9 +263,15 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) > krb5_keytab keytab = NULL; > krb5_data password; > krb5_kvno kvno; >- krb5_enctype enctypes[4] = { >+ krb5_enctype enctypes[6] = { > ENCTYPE_DES_CBC_CRC, > ENCTYPE_DES_CBC_MD5, >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, >+#endif >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, >+#endif > ENCTYPE_ARCFOUR_HMAC, > 0 > }; >-- >1.7.9.5 > > >From 2648aaa803054ee9712fc32a82245524e50badd6 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Mon, 19 Dec 2011 10:52:58 +0100 >Subject: [PATCH 2/3] s3-kerberos: add aes enctypes to generated krb5.conf. > >Guenther >--- > source3/libads/kerberos.c | 29 ++++++++++++++++++++++++----- > 1 file changed, 24 insertions(+), 5 deletions(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index fd39394..3183e26 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -831,6 +831,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, > int fd; > char *realm_upper = NULL; > bool result = false; >+ char *aes_enctypes = NULL; > > if (!lp_create_krb5_conf()) { > return false; >@@ -870,15 +871,33 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, > goto done; > } > >- /* FIXME: add aes here - gd */ >+ aes_enctypes = talloc_strdup(fname, ""); >+ if (aes_enctypes == NULL) { >+ goto done; >+ } >+ >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 "); >+ if (aes_enctypes == NULL) { >+ goto done; >+ } >+#endif >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes128-cts-hmac-sha1-96"); >+ if (aes_enctypes == NULL) { >+ goto done; >+ } >+#endif >+ > file_contents = talloc_asprintf(fname, > "[libdefaults]\n\tdefault_realm = %s\n" >- "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >- "\tdefault_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >- "\tpreferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" >+ "\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >+ "\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >+ "\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" > "[realms]\n\t%s = {\n" > "\t%s\t}\n", >- realm_upper, realm_upper, kdc_ip_string); >+ realm_upper, aes_enctypes, aes_enctypes, aes_enctypes, >+ realm_upper, kdc_ip_string); > > if (!file_contents) { > goto done; >-- >1.7.9.5 > > >From 64a54cedda36b9acccc564f8e9981cae4b2798e0 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 22 Oct 2012 13:47:48 +0200 >Subject: [PATCH 3/3] lib/krb5_wrap: request enc_types in the correct order > (bug #9272) > >aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 >should have a higher priority than arcfour-hmac-md5, >otherwise the KDC still gives us arcfour-hmac-md5 session keys. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(cherry picked from commit 24f3f87706329e6e280dc6be6d025e997d46c910) >--- > lib/krb5_wrap/krb5_samba.c | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) > >diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c >index 8037337..f04f6e1 100644 >--- a/lib/krb5_wrap/krb5_samba.c >+++ b/lib/krb5_wrap/krb5_samba.c >@@ -685,15 +685,15 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx, > krb5_ccache ccdef = NULL; > krb5_auth_context auth_context = NULL; > krb5_enctype enc_types[] = { >- ENCTYPE_ARCFOUR_HMAC, >- ENCTYPE_DES_CBC_MD5, >- ENCTYPE_DES_CBC_CRC, >-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >- ENCTYPE_AES128_CTS_HMAC_SHA1_96, >-#endif > #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 > ENCTYPE_AES256_CTS_HMAC_SHA1_96, > #endif >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, >+#endif >+ ENCTYPE_ARCFOUR_HMAC, >+ ENCTYPE_DES_CBC_MD5, >+ ENCTYPE_DES_CBC_CRC, > ENCTYPE_NULL}; > > initialize_krb5_error_table(); >-- >1.7.9.5 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
gd
:
review+
metze
:
review?
(
abartlet
)
Actions:
View
Attachments on
bug 9272
:
8019
|
8020
|
8093
|
8094
|
8095
|
8096
| 8136 |
8137
|
8188
|
8189