The branch, master has been updated
via 3d98048a5a9 kdc: warn if DES-only keys enforced on the account
from 31c9352099f docs-xml: Fix script location in
syncmachinepasswordscript.xml
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3d98048a5a94557d11f57a2057134dc90622aa37
Author: Alexander Bokovoy <a...@samba.org>
Date: Fri Aug 16 11:24:12 2024 +0300
kdc: warn if DES-only keys enforced on the account
With MIT Kerberos 1.21+ DES is not available by default and will be
refused. This means userAccountFlags with UF_DES_KEYS_ONLY will result
in a likely authentication falure (unless allow_des=true is set in
krb5.conf).
Warn about such cases to give admins yet another chance to detect an
error in setting userAccountFlags.
Signed-off-by: Alexander Bokovoy <a...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Alexander Bokovoy <a...@samba.org>
Autobuild-Date(master): Sat Aug 17 11:59:01 UTC 2024 on atb-devel-224
-----------------------------------------------------------------------
Summary of changes:
source4/kdc/db-glue.c | 3 +++
1 file changed, 3 insertions(+)
Changeset truncated at 500 lines:
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 57007aef760..dd1c95cb925 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1741,6 +1741,9 @@ static krb5_error_code
samba_kdc_message2entry(krb5_context context,
/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the
newer enc types */
if (userAccountControl & UF_USE_DES_KEY_ONLY) {
supported_enctypes &= ~ENC_ALL_TYPES;
+ DBG_NOTICE("DES-only keys allowed on the account '%s', "
+ "most likely auth will fail through Kerberos\n",
+ samAccountName);
}
if (protected_user) {
--
Samba Shared Repository
