There seems to be a bug in samba_kdc_message2entry_keys(), tries to feed a DES key into smb_krb5_keyblock_init_contents() and fails. The problem goes away if msDS-SupportedEncryptionTypes is changed from 31 to 28.
Ouch, sorry for the bug, I guess we could remove them early from supported_enctypes.
This only happens in Primary:Kerberos-Newer-Keys is missing for the account. For Primary:Kerberos-Newer-Keys we already handle KRB5_PROG_ETYPE_NOSUPP. I'll add that check also for Primary:Kerberos. The rest should be handled as part of bug #13135
Created attachment 15938 [details] WIP patch on top of v4-12-test This should fix it. I don't know how to add a test for this... Would it be ok to defer tests to bug #13135?
Comment on attachment 15938 [details] WIP patch on top of v4-12-test This seems to do the job...
(In reply to Stefan Metzmacher from comment #3) The patch looks good to me, not sure how bug #13135 would help with testing but otherwise testing seems pretty hard, so I think it would be fine to defer.
(In reply to Stefan Metzmacher from comment #3) So I thought the problem with testing is because we always set Primary:Kerberos-Newer-Keys in >=2008 and that there was no msDS-SupportedEncryptionTypes in pre 2008, but it looks like there actually is in the fl2003dc testenv (schema option?). The following fails, and gets fixed by your patch. make -j testenv SELFTEST_TESTENV=fl2003dc:local SCREEN=1 bin/ldbedit -e vim -H st/fl2003dc/private/sam.ldb '(samaccountname=DC6$)' change SupportedEncryptionTypes from 28 to 31 source4/scripting/bin/machineaccountccache cc
(In reply to Isaac Boukris from comment #6) I made a test based on the above, pipeline running: https://gitlab.com/samba-team/devel/samba/-/commits/iboukris-metze-des-key
(In reply to Stefan Metzmacher from comment #3) Looking at the code again, should we cleanup key.salt, in both places ?
(In reply to Isaac Boukris from comment #7) I pushed a new version to that branch, adding cleanup of key.salt.
Reading more in ms-kile and ms-ada2, it doesn't sound exactly like the description in bug #13135 that msDS-SupportedEncryptionTypes only impacts on computer accounts, but rather only impacts when generating service ticket for an account. Quote from ms-ada2 2.465 Attribute msDS-SupportedEncryptionTypes: This attribute specifies the encryption algorithms supported by user, computer, or trust accounts. The Key Distribution Center (KDC) uses this information while generating a service ticket for this account. So I'd guess it shouldn't impact on kinit even for a computer account, and should impact on a user with spn when generating a ticket to it. Need to test but if that's the case, the suggested test would be testing a wrong behaviour..
(In reply to Isaac Boukris from comment #10) I don't mind if the test is indirect. The same code could be triggered by the samba-tool domain exportkeytab code if you prefer that.
(In reply to Andrew Bartlett from comment #11) I thought I'd change it to test a service ticket but "samba-tool domain exportkeytab" sounds better, I'll try that.
(In reply to Isaac Boukris from comment #12) Changed to test with "samba-tool domain exportkeytab", thanks.
Created attachment 16145 [details] patch for v4-12-test branch Pipeline for 4.12 branch running at: https://gitlab.com/samba-team/devel/samba/-/commits/iboukris-v4-12-test
Comment on attachment 16145 [details] patch for v4-12-test branch This should also be added to 4.13
Comment on attachment 16145 [details] patch for v4-12-test branch Please upload attachements with cherry-pick -x information for v4-12-test and v4-13-test, thanks!
Created attachment 16146 [details] patch for v4-12-test branch with -x information
Created attachment 16147 [details] patch for v4-13-test branch with -x information
Pushed to autobuild-v4-{13,12}-test.
Pushed to v4-{12,13}-test