Bug 13135 - The KDC logic arround msDs-supportedEncryptionTypes differs from Windows
Summary: The KDC logic arround msDs-supportedEncryptionTypes differs from Windows
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.7.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 14354
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-14 15:15 UTC by Stefan Metzmacher
Modified: 2020-04-28 09:03 UTC (History)
3 users (show)

See Also:

Attachments
Work in progress patches (14.24 KB, patch)
2017-12-13 13:03 UTC, Stefan Metzmacher 		no flags Details
Work in progress for master (14.35 KB, patch)
2020-02-03 11:01 UTC, Stefan Metzmacher 		no flags Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2017-11-14 15:15:01 UTC 
It seems this attribute is only evaluated for objects with objectClass=computer
and not for normal accounts.

The presence of a supported encryption type should also have some meaning if
a key for that type is not yet stored in the database.

But the KDC should notice support for new encryption types and use
that for session keys.
Comment 1 Stefan Metzmacher 2017-12-13 13:03:06 UTC 
Created attachment 13866 [details]
Work in progress patches
Comment 2 Stefan Metzmacher 2020-02-03 11:01:37 UTC 
Created attachment 15761 [details]
Work in progress for master
Comment 3 Andrew Bartlett 2020-04-28 09:03:21 UTC 
I like our current behaviour where we have a way to control what encryption types are available.  Otherwise we have no way to, per user, control the encryption types.