The Samba-Bugzilla – Attachment 8137 Details for
Bug 9272
net ads join does not provide AES keys in host keytab
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v3-6-test
tmp36.diff (text/plain), 5.72 KB, created by
Stefan Metzmacher
on 2012-11-02 10:19:29 UTC
(
hide
)
Description:
Patches for v3-6-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2012-11-02 10:19:29 UTC
Size:
5.72 KB
patch
obsolete
>From b682473bc18356b361d47adaff77e40996a09069 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 15 Dec 2011 18:12:41 +0100 >Subject: [PATCH 1/3] s3-krb5: use and request AES keys in kerberos > operations. > >Guenther > >(cherry picked from commit eae33e96fcaa456830862325b91579faf2a96213) >--- > source3/libads/kerberos.c | 1 + > source3/libads/kerberos_keytab.c | 8 +++++++- > source3/libsmb/clikrb5.c | 6 ++++++ > 3 files changed, 14 insertions(+), 1 deletion(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index 52d2475..0a4566a 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -941,6 +941,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, > goto done; > } > >+ /* FIXME: add aes here - gd */ > file_contents = talloc_asprintf(fname, > "[libdefaults]\n\tdefault_realm = %s\n" > "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c >index 721a8c6..badce3e 100644 >--- a/source3/libads/kerberos_keytab.c >+++ b/source3/libads/kerberos_keytab.c >@@ -261,9 +261,15 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) > krb5_keytab keytab = NULL; > krb5_data password; > krb5_kvno kvno; >- krb5_enctype enctypes[4] = { >+ krb5_enctype enctypes[6] = { > ENCTYPE_DES_CBC_CRC, > ENCTYPE_DES_CBC_MD5, >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, >+#endif >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, >+#endif > ENCTYPE_ARCFOUR_HMAC, > 0 > }; >diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c >index 7958205..59e1fa5 100644 >--- a/source3/libsmb/clikrb5.c >+++ b/source3/libsmb/clikrb5.c >@@ -868,6 +868,12 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx, > ENCTYPE_ARCFOUR_HMAC, > ENCTYPE_DES_CBC_MD5, > ENCTYPE_DES_CBC_CRC, >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, >+#endif >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, >+#endif > ENCTYPE_NULL}; > > initialize_krb5_error_table(); >-- >1.7.9.5 > > >From 037bf9e727659dc54760917ccf1d6d7c1860711a Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Mon, 19 Dec 2011 10:52:58 +0100 >Subject: [PATCH 2/3] s3-kerberos: add aes enctypes to generated krb5.conf. > >Guenther > >(cherry picked from commit 06f3b1f0b0dcf9355a8d634cdb62f1f0a8ea4dbe) >--- > source3/libads/kerberos.c | 29 ++++++++++++++++++++++++----- > 1 file changed, 24 insertions(+), 5 deletions(-) > >diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c >index 0a4566a..9ab98d4 100644 >--- a/source3/libads/kerberos.c >+++ b/source3/libads/kerberos.c >@@ -904,6 +904,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, > int fd; > char *realm_upper = NULL; > bool result = false; >+ char *aes_enctypes = NULL; > > if (!lp_create_krb5_conf()) { > return false; >@@ -941,15 +942,33 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, > goto done; > } > >- /* FIXME: add aes here - gd */ >+ aes_enctypes = talloc_strdup(fname, ""); >+ if (aes_enctypes == NULL) { >+ goto done; >+ } >+ >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 "); >+ if (aes_enctypes == NULL) { >+ goto done; >+ } >+#endif >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes128-cts-hmac-sha1-96"); >+ if (aes_enctypes == NULL) { >+ goto done; >+ } >+#endif >+ > file_contents = talloc_asprintf(fname, > "[libdefaults]\n\tdefault_realm = %s\n" >- "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >- "\tdefault_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >- "\tpreferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" >+ "\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >+ "\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" >+ "\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" > "[realms]\n\t%s = {\n" > "\t%s\t}\n", >- realm_upper, realm_upper, kdc_ip_string); >+ realm_upper, aes_enctypes, aes_enctypes, aes_enctypes, >+ realm_upper, kdc_ip_string); > > if (!file_contents) { > goto done; >-- >1.7.9.5 > > >From 36ff417edcf751dba34fe401710ff85cbd77bc1b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 22 Oct 2012 13:47:48 +0200 >Subject: [PATCH 3/3] lib/krb5_wrap: request enc_types in the correct order > (bug #9272) > >aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 >should have a higher priority than arcfour-hmac-md5, >otherwise the KDC still gives us arcfour-hmac-md5 session keys. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >(similar to commit 24f3f87706329e6e280dc6be6d025e997d46c910) >--- > source3/libsmb/clikrb5.c | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) > >diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c >index 59e1fa5..dce1df7 100644 >--- a/source3/libsmb/clikrb5.c >+++ b/source3/libsmb/clikrb5.c >@@ -865,15 +865,15 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx, > krb5_ccache ccdef = NULL; > krb5_auth_context auth_context = NULL; > krb5_enctype enc_types[] = { >- ENCTYPE_ARCFOUR_HMAC, >- ENCTYPE_DES_CBC_MD5, >- ENCTYPE_DES_CBC_CRC, >-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >- ENCTYPE_AES128_CTS_HMAC_SHA1_96, >-#endif > #ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 > ENCTYPE_AES256_CTS_HMAC_SHA1_96, > #endif >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, >+#endif >+ ENCTYPE_ARCFOUR_HMAC, >+ ENCTYPE_DES_CBC_MD5, >+ ENCTYPE_DES_CBC_CRC, > ENCTYPE_NULL}; > > initialize_krb5_error_table(); >-- >1.7.9.5 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
gd
:
review+
metze
:
review?
(
abartlet
)
Actions:
View
Attachments on
bug 9272
:
8019
|
8020
|
8093
|
8094
|
8095
|
8096
|
8136
| 8137 |
8188
|
8189