Bug 13135 - The KDC logic arround msDs-supportedEncryptionTypes differs from Windows
Summary: The KDC logic arround msDs-supportedEncryptionTypes differs from Windows
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.7.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 14354
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-14 15:15 UTC by Stefan Metzmacher
Modified: 2020-04-28 09:03 UTC (History)
3 users (show)

See Also:


Attachments
Work in progress patches (14.24 KB, patch)
2017-12-13 13:03 UTC, Stefan Metzmacher
no flags Details
Work in progress for master (14.35 KB, patch)
2020-02-03 11:01 UTC, Stefan Metzmacher
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2017-11-14 15:15:01 UTC
It seems this attribute is only evaluated for objects with objectClass=computer
and not for normal accounts.

The presence of a supported encryption type should also have some meaning if
a key for that type is not yet stored in the database.

But the KDC should notice support for new encryption types and use
that for session keys.
Comment 1 Stefan Metzmacher 2017-12-13 13:03:06 UTC
Created attachment 13866 [details]
Work in progress patches
Comment 2 Stefan Metzmacher 2020-02-03 11:01:37 UTC
Created attachment 15761 [details]
Work in progress for master
Comment 3 Andrew Bartlett 2020-04-28 09:03:21 UTC
I like our current behaviour where we have a way to control what encryption types are available.  Otherwise we have no way to, per user, control the encryption types.