commit 8e931fce126e8c1128da893c806702731c08758a Author: Alexander Bokovoy <ab@samba.org> AuthorDate: Thu Jun 22 09:56:12 2023 +0300 Commit: Andrew Bartlett <abartlet@samba.org> CommitDate: Mon Apr 8 03:00:39 2024 +0000 Do not fail checksums for RFC8009 types While Active Directory does not support yet RFC 8009 encryption and checksum types, it is possible to verify these checksums when running with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA domain controller which uses them by default. [2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)] ../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative) smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab [2023/06/16 21:51:04.924196, 2, pid=51149, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum) check_pac_checksum: Checksum Type 20 is not supported [2023/06/16 21:51:04.924228, 5, pid=51149, effective(0, 0), real(0, 0), class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac) PAC Decode: Failed to verify the service signature: Invalid argument Signed-off-by: Alexander Bokovoy <ab@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> silently introduced the dependency for MIT 1.16 (if --with-system-mitkrb5 is used)
This bug was referenced in samba master: 5bcaafb757f704b2985057a5d3b1ad5fd42ae9f7
Created attachment 18451 [details] Patch for v4-21-test