The branch, v3-6-test has been updated
via 5fbedc1 lib/krb5_wrap: request enc_types in the correct order (bug
#9272)
via 789d801 s3-kerberos: add aes enctypes to generated krb5.conf.
via 90b1e98 s3-krb5: use and request AES keys in kerberos operations.
from 0e607ea s3-aio_pthread: Optimize aio_pthread_handle_completion
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit 5fbedc11e685684e037d23f75f42ec234c6d08f0
Author: Stefan Metzmacher <[email protected]>
Date: Mon Oct 22 13:47:48 2012 +0200
lib/krb5_wrap: request enc_types in the correct order (bug #9272)
aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
should have a higher priority than arcfour-hmac-md5,
otherwise the KDC still gives us arcfour-hmac-md5 session keys.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Michael Adam <[email protected]>
(similar to commit 24f3f87706329e6e280dc6be6d025e997d46c910)
The last 3 patches address bug #9272 - net ads join does not provide AES
keys in
host keytab.
commit 789d801b69934e34ac293342516fa4e1cc68b4fa
Author: Günther Deschner <[email protected]>
Date: Mon Dec 19 10:52:58 2011 +0100
s3-kerberos: add aes enctypes to generated krb5.conf.
Guenther
(cherry picked from commit 06f3b1f0b0dcf9355a8d634cdb62f1f0a8ea4dbe)
commit 90b1e987ac0cfda112267a0e8e1d98af70df1bc8
Author: Günther Deschner <[email protected]>
Date: Thu Dec 15 18:12:41 2011 +0100
s3-krb5: use and request AES keys in kerberos operations.
Guenther
(cherry picked from commit eae33e96fcaa456830862325b91579faf2a96213)
-----------------------------------------------------------------------
Summary of changes:
source3/libads/kerberos.c | 28 ++++++++++++++++++++++++----
source3/libads/kerberos_keytab.c | 8 +++++++-
source3/libsmb/clikrb5.c | 6 ++++++
3 files changed, 37 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index d496ade..6b8f247 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -850,6 +850,7 @@ bool create_local_private_krb5_conf_for_domain(const char
*realm,
int fd;
char *realm_upper = NULL;
bool result = false;
+ char *aes_enctypes = NULL;
if (!lp_create_krb5_conf()) {
return false;
@@ -887,14 +888,33 @@ bool create_local_private_krb5_conf_for_domain(const char
*realm,
goto done;
}
+ aes_enctypes = talloc_strdup(fname, "");
+ if (aes_enctypes == NULL) {
+ goto done;
+ }
+
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s",
"aes256-cts-hmac-sha1-96 ");
+ if (aes_enctypes == NULL) {
+ goto done;
+ }
+#endif
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s",
"aes128-cts-hmac-sha1-96");
+ if (aes_enctypes == NULL) {
+ goto done;
+ }
+#endif
+
file_contents = talloc_asprintf(fname,
"[libdefaults]\n\tdefault_realm = %s\n"
- "\tdefault_tgs_enctypes = RC4-HMAC
DES-CBC-CRC DES-CBC-MD5\n"
- "\tdefault_tkt_enctypes = RC4-HMAC
DES-CBC-CRC DES-CBC-MD5\n"
- "\tpreferred_enctypes = RC4-HMAC
DES-CBC-CRC DES-CBC-MD5\n\n"
+ "\tdefault_tgs_enctypes = %s RC4-HMAC
DES-CBC-CRC DES-CBC-MD5\n"
+ "\tdefault_tkt_enctypes = %s RC4-HMAC
DES-CBC-CRC DES-CBC-MD5\n"
+ "\tpreferred_enctypes = %s RC4-HMAC
DES-CBC-CRC DES-CBC-MD5\n\n"
"[realms]\n\t%s = {\n"
"\t%s\t}\n",
- realm_upper, realm_upper,
kdc_ip_string);
+ realm_upper, aes_enctypes,
aes_enctypes, aes_enctypes,
+ realm_upper, kdc_ip_string);
if (!file_contents) {
goto done;
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 721a8c6..badce3e 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -261,9 +261,15 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char
*srvPrinc)
krb5_keytab keytab = NULL;
krb5_data password;
krb5_kvno kvno;
- krb5_enctype enctypes[4] = {
+ krb5_enctype enctypes[6] = {
ENCTYPE_DES_CBC_CRC,
ENCTYPE_DES_CBC_MD5,
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#endif
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+#endif
ENCTYPE_ARCFOUR_HMAC,
0
};
diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c
index 7958205..dce1df7 100644
--- a/source3/libsmb/clikrb5.c
+++ b/source3/libsmb/clikrb5.c
@@ -865,6 +865,12 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
krb5_ccache ccdef = NULL;
krb5_auth_context auth_context = NULL;
krb5_enctype enc_types[] = {
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+#endif
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#endif
ENCTYPE_ARCFOUR_HMAC,
ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES_CBC_CRC,
--
Samba Shared Repository
