This patch allows Windows to send us TGTs using AES.

Simo.

-- 
Simo Sorce * Red Hat, Inc. * New York
From 6397e6acbe29a7b54539f307d30976deb68b1465 Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Wed, 26 Sep 2012 18:34:57 -0400
Subject: [PATCH] Add support for using AES fo cross-realm TGTs

---
 ipaserver/dcerpc.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 86cf01dbac9aca21c35d2db65ef4d4c56e313709..be5ab0482545a501ab8e144e7e6a991c87a067a4 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -373,10 +373,19 @@ class TrustDomainInstance(object):
         except RuntimeError, e:
             pass
         try:
-            self._pipe.CreateTrustedDomainEx2(self._policy_handle, info, self.auth_info, security.SEC_STD_DELETE)
+            trustdom_handle = self._pipe.CreateTrustedDomainEx2(self._policy_handle, info, self.auth_info, security.SEC_STD_DELETE)
         except RuntimeError, (num, message):
             raise assess_dcerpc_exception(num=num, message=message)
 
+        try:
+            infoclass = lsa.TrustDomainInfoSupportedEncTypes()
+            infoclass.enc_types = security.KERB_ENCTYPE_RC4_HMAC_MD5
+            infoclass.enc_types |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+            infoclass.enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+            self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES, infoclass)
+        except RuntimeError, e:
+            pass
+
     def verify_trust(self, another_domain):
         def retrieve_netlogon_info_2(domain, function_code, data):
             try:
-- 
1.7.11.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to