The branch, master has been updated via 6444a743525 s3:libads: Also add a realm entry for the domain name via a5303967287 s3:libads: Only add RC4 if weak crypto is allowed via 9cf1aecd73e s3:libads: Remove DES legacy types for Kerberos from bd9f64d19dc Fixed arrow keys typo to the computer move command utility
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 6444a743525532c70634e2dd4cacadce54ba2eab Author: Andreas Schneider <a...@samba.org> Date: Thu Sep 3 13:49:33 2020 +0200 s3:libads: Also add a realm entry for the domain name This is required if we try to authenticate as Administrator@DOMAIN so it can find the KDC. This fixes 'net ads join' for ad_member_fips if we require Kerberos auth. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14479 Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Mon Sep 7 09:25:33 UTC 2020 on sn-devel-184 commit a5303967287cef0c3d0b653e2aca73d25d438cf7 Author: Andreas Schneider <a...@samba.org> Date: Thu Sep 3 11:45:33 2020 +0200 s3:libads: Only add RC4 if weak crypto is allowed Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Isaac Boukris <ibouk...@samba.org> commit 9cf1aecd73e011ad03ddb072760454379b3f0a32 Author: Andreas Schneider <a...@samba.org> Date: Thu Sep 3 11:11:14 2020 +0200 s3:libads: Remove DES legacy types for Kerberos We already removed DES support for Kerberos in Samba 4.12. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Isaac Boukris <ibouk...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/libads/kerberos.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 3fab68266f2..1db285cd29a 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -611,9 +611,10 @@ static char *get_enctypes(TALLOC_CTX *mem_ctx) #endif } - if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || - lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) { - legacy_enctypes = "RC4-HMAC DES-CBC-CRC DES-CBC-MD5"; + if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_ALLOWED && + (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL || + lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY)) { + legacy_enctypes = "RC4-HMAC"; } enctypes = @@ -744,11 +745,15 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, "\tdns_lookup_kdc = true\n\n" "[realms]\n\t%s = {\n" "%s\t}\n" + "\t%s = {\n" + "%s\t}\n" "%s\n", realm_upper, enctypes, realm_upper, kdc_ip_string, + domain, + kdc_ip_string, include_system_krb5); if (!file_contents) { -- Samba Shared Repository