The Samba-Bugzilla – Attachment 8189 Details for
Bug 9272
net ads join does not provide AES keys in host keytab
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
fixed patch for 3.6.x
v3-6-test.patch (text/plain), 4.90 KB, created by
Guenther Deschner
on 2012-11-14 13:09:12 UTC
(
hide
)
Description:
fixed patch for 3.6.x
Filename:
MIME Type:
Creator:
Guenther Deschner
Created:
2012-11-14 13:09:12 UTC
Size:
4.90 KB
patch
obsolete
>From ba5c00d4fc0acff3592d32729d6948f129b14ce9 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Thu, 15 Dec 2011 17:50:33 +0100 >Subject: [PATCH 1/3] samba: check for AES encryption type defines. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Guenther > >Autobuild-User: Günther Deschner <gd@samba.org> >Autobuild-Date: Tue Jan 10 15:05:38 CET 2012 on sn-devel-104 >--- > source3/configure.in | 21 +++++++++++++++++++++ > source3/wscript | 2 ++ > 2 files changed, 23 insertions(+) > >diff --git a/source3/configure.in b/source3/configure.in >index 014d844..2018a6e 100644 >--- a/source3/configure.in >+++ b/source3/configure.in >@@ -4156,6 +4156,27 @@ if test x"$with_ads_support" != x"no"; then > found_arcfour_hmac=yes > fi > >+ AC_CACHE_CHECK([for ENCTYPE_AES128_CTS_HMAC_SHA1_96], >+ samba_cv_HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96,[ >+ AC_TRY_COMPILE([#include <krb5.h>], >+ [krb5_enctype enctype; enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96;], >+ samba_cv_HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96=yes, >+ samba_cv_HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96=no)]) >+ if test x"$samba_cv_HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96" = x"yes"; then >+ AC_DEFINE(HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96,1, >+ [Whether the ENCTYPE_AES128_CTS_HMAC_SHA1_96 key type definition is available]) >+ fi >+ AC_CACHE_CHECK([for ENCTYPE_AES256_CTS_HMAC_SHA1_96], >+ samba_cv_HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96,[ >+ AC_TRY_COMPILE([#include <krb5.h>], >+ [krb5_enctype enctype; enctype = ENCTYPE_AES256_CTS_HMAC_SHA1_96;], >+ samba_cv_HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96=yes, >+ samba_cv_HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96=no)]) >+ if test x"$samba_cv_HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96" = x"yes"; then >+ AC_DEFINE(HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96,1, >+ [Whether the ENCTYPE_AES256_CTS_HMAC_SHA1_96 key type definition is available]) >+ fi >+ > AC_CACHE_CHECK([for AP_OPTS_USE_SUBKEY], > samba_cv_HAVE_AP_OPTS_USE_SUBKEY,[ > AC_TRY_COMPILE([#include <krb5.h>], >diff --git a/source3/wscript b/source3/wscript >index 1ea3559..b40848d 100644 >--- a/source3/wscript >+++ b/source3/wscript >@@ -661,6 +661,8 @@ krb5_get_credentials_for_user krb5_get_host_realm krb5_free_host_realm''', > conf.CHECK_VARIABLE('KV5M_KEYTAB', headers='krb5.h') > conf.CHECK_VARIABLE('KRB5_KU_OTHER_CKSUM', headers='krb5.h') > conf.CHECK_VARIABLE('KRB5_KEYUSAGE_APP_DATA_CKSUM', headers='krb5.h') >+ conf.CHECK_VARIABLE('ENCTYPE_AES128_CTS_HMAC_SHA1_96', headers='krb5.h') >+ conf.CHECK_VARIABLE('ENCTYPE_AES256_CTS_HMAC_SHA1_96', headers='krb5.h') > conf.CHECK_STRUCTURE_MEMBER('krb5_keytab_entry', 'key', headers='krb5.h', > define='HAVE_KRB5_KEYTAB_ENTRY_KEY') > conf.CHECK_STRUCTURE_MEMBER('krb5_keytab_entry', 'keyblock', headers='krb5.h', >-- >1.7.11.7 > > >From 045870519562c3734eec3c925a0c7c83abe82a5c Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Tue, 13 Nov 2012 15:11:08 +0100 >Subject: [PATCH 2/3] s3-libsmb: make sure we copy at most 16 bytes in > cli_set_session_key(). > >Guenther >--- > source3/libsmb/cliconnect.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index f03219b..8653ba7 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -94,7 +94,9 @@ static NTSTATUS smb_bytes_talloc_string(struct cli_state *cli, > > static void cli_set_session_key (struct cli_state *cli, const DATA_BLOB session_key) > { >- cli->user_session_key = data_blob(session_key.data, session_key.length); >+ cli->user_session_key = data_blob(NULL, 16); >+ data_blob_clear(&cli->user_session_key); >+ memcpy(cli->user_session_key.data, session_key.data, MIN(session_key.length, 16)); > } > > /**************************************************************************** >-- >1.7.11.7 > > >From fead0fc0500b5b00a8066ba9e3119abdf9d698bd Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Tue, 13 Nov 2012 16:23:52 +0100 >Subject: [PATCH 3/3] s3-kerberos: also try with AES keys, when decrypting > tickets. > >Guenther >--- > source3/libads/kerberos_verify.c | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c >index d4c68cd..56daf8f 100644 >--- a/source3/libads/kerberos_verify.c >+++ b/source3/libads/kerberos_verify.c >@@ -344,6 +344,12 @@ static krb5_error_code ads_secrets_verify_ticket(krb5_context context, > /* Let's make some room for 2 password (old and new)*/ > krb5_data passwords[2]; > krb5_enctype enctypes[] = { >+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, >+#endif >+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 >+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, >+#endif > ENCTYPE_ARCFOUR_HMAC, > ENCTYPE_DES_CBC_CRC, > ENCTYPE_DES_CBC_MD5, >-- >1.7.11.7 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 9272
:
8019
|
8020
|
8093
|
8094
|
8095
|
8096
|
8136
|
8137
|
8188
| 8189