The branch, master has been updated
via 46a7952880d CVE-2026-20833: WHATSNEW: Document new default for ‘kdc
default domain supported enctypes’
via 802649fa35e CVE-2026-20833: s4:kdc: Make default domain supported
enctypes AES by default
via dc9f690b381 CVE-2026-20833: selftest: Avoid renaming
‘testallowed_account’
via 5849c0c3281 CVE-2026-20833: python:tests: Set secure channel type
for test credentials
via 5f125ff5257 docs-xml: Add missing word
via 9bf3ed52a3f lib:audit_logging: Fix code spelling
from bd66dc24183 build: allow `./configure _foo=x` to work like FOO=x
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 46a7952880d3b8ad20a718f587435371fa31d327
Author: Jennifer Sutton <[email protected]>
Date: Wed Feb 4 13:51:38 2026 +1300
CVE-2026-20833: WHATSNEW: Document new default for ‘kdc default domain
supported enctypes’
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
Autobuild-User(master): Douglas Bagnall <[email protected]>
Autobuild-Date(master): Wed Feb 18 01:52:23 UTC 2026 on atb-devel-224
commit 802649fa35ed37de69f6ca0593a39399575ac6e4
Author: Jennifer Sutton <[email protected]>
Date: Fri Jan 30 15:03:42 2026 +1300
CVE-2026-20833: s4:kdc: Make default domain supported enctypes AES by
default
If AES keys are available in the domain, assume that service accounts
support
AES by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit dc9f690b3810e8c965a0602c8a25a1e83129702c
Author: Jennifer Sutton <[email protected]>
Date: Wed Feb 4 14:43:09 2026 +1300
CVE-2026-20833: selftest: Avoid renaming ‘testallowed_account’
cli_credentials_get_keytab() uses the sAMAccountName to calculate the salt
via
cli_credentials_get_salt_principal(). Changing the sAMAccountName means that
cli_credentials_get_keytab() will generate AES Kerberos keys using the wrong
salt, and gensec authentication will fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 5849c0c32810af1a10287afd02b990dde0f351d6
Author: Jennifer Sutton <[email protected]>
Date: Tue Feb 3 14:36:59 2026 +1300
CVE-2026-20833: python:tests: Set secure channel type for test credentials
This will ensure that we use the correct salting algorithm for AES when we
authenticate using gensec.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15998
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 5f125ff5257e63da48b8c5b56167abd5162d29da
Author: Jennifer Sutton <[email protected]>
Date: Tue Jan 27 17:12:00 2026 +1300
docs-xml: Add missing word
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
commit 9bf3ed52a3fadbd252e1b2e1afa9ae472edf3aaf
Author: Jennifer Sutton <[email protected]>
Date: Mon Jan 26 11:23:34 2026 +1300
lib:audit_logging: Fix code spelling
Signed-off-by: Jennifer Sutton <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 8 ++++++
.../security/kdcdefaultdomainsupportedenctypes.xml | 5 +++-
.../smbdotconf/security/kdcsupportedenctypes.xml | 2 +-
lib/audit_logging/audit_logging.c | 8 +++---
python/samba/tests/blackbox/claims.py | 2 ++
python/samba/tests/krb5/etype_tests.py | 12 ++------
python/samba/tests/krb5/kdc_base_test.py | 24 ++++++++++++----
selftest/knownfail_mit_kdc.d/etype | 32 +++++++---------------
selftest/target/Samba4.pm | 19 ++-----------
source4/kdc/db-glue.c | 13 ++++++---
10 files changed, 60 insertions(+), 65 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d845d16cbe7..89b5e6628f2 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -22,6 +22,13 @@ JSON Audit logging
The two leading spaces before the opening '{' on JSON audit log lines have been
removed. And any embedded new line characters '\n' are converted to spaces.
+Domain encryption types changed to AES by default
+-------------------------------------------------
+
+The default value of the smb.conf option ‘kdc default domain supported
enctypes’
+now corresponds to ‘aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96’ (both AES
+encryption types) if the domain functional level is 2008 or higher. This
+addresses CVE-2026-20833.
REMOVED FEATURES
================
@@ -32,6 +39,7 @@ smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
+ kdc default domain supported enctypes New default AES encryption types
(if supported by domain)
KNOWN ISSUES
diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
index 984611167b5..32771c3428a 100644
--- a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
+++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
@@ -38,5 +38,8 @@
</description>
-<value type="default">0<comment>maps to what the software supports currently:
arcfour-hmac-md5 aes256-cts-hmac-sha1-96-sk</comment></value>
+<value type="default">0<comment>maps to what the software supports currently.
If
+AES keys are available (the domain functional level is 2008 or higher), this is
+aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96. Otherwise it is
+arcfour-hmac-md5 aes256-cts-hmac-sha1-96-sk.</comment></value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
index 5e028bbb2be..bf78fff7eba 100644
--- a/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
+++ b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
@@ -5,7 +5,7 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
<description>
<para>
- On an active directory domain controller, this is the list of supported
encryption types for local running kdc.
+ On an active directory domain controller, this is the list of supported
encryption types for the local running kdc.
</para>
<para>
diff --git a/lib/audit_logging/audit_logging.c
b/lib/audit_logging/audit_logging.c
index 58f32df1a25..728ffd8601e 100644
--- a/lib/audit_logging/audit_logging.c
+++ b/lib/audit_logging/audit_logging.c
@@ -86,7 +86,7 @@ char* audit_get_timestamp(TALLOC_CTX *frame)
*
* @param prefix Text to be printed at the start of the log line
* @param message The content of the log line.
- * @param debub_class The debug class to log the message with.
+ * @param debug_class The debug class to log the message with.
* @param debug_level The debug level to log the message with.
*/
void audit_log_human_text(const char* prefix,
@@ -108,7 +108,7 @@ const struct json_object json_empty_object = {.valid =
false, .root = NULL};
* Write the json object to the audit logs as a formatted string
*
* @param message The content of the log line.
- * @param debub_class The debug class to log the message with.
+ * @param debug_class The debug class to log the message with.
* @param debug_level The debug level to log the message with.
*/
void audit_log_json(struct json_object* message,
@@ -211,8 +211,8 @@ static NTSTATUS get_event_server(
*
* @param msg_ctx an imessaging_context, can be NULL in which case no message
* will be sent.
- * @param server_name the naname of the event server to send the message to.
- * @param messag_type A message type defined in librpc/idl/messaging.idl
+ * @param server_name the name of the event server to send the message to.
+ * @param message_type A message type defined in librpc/idl/messaging.idl
* @param message The message to send.
*
*/
diff --git a/python/samba/tests/blackbox/claims.py
b/python/samba/tests/blackbox/claims.py
index 3bedeed9512..da616e3b726 100755
--- a/python/samba/tests/blackbox/claims.py
+++ b/python/samba/tests/blackbox/claims.py
@@ -26,6 +26,7 @@ import os
from samba import NTSTATUSError
from samba.auth import AuthContext
from samba.credentials import Credentials
+from samba.dcerpc.misc import SEC_CHAN_WKSTA
from samba.gensec import FEATURE_SEAL, Security
from samba.ntstatus import NT_STATUS_LOGON_FAILURE, NT_STATUS_UNSUCCESSFUL
from samba.tests import BlackboxTestCase
@@ -485,6 +486,7 @@ class ClaimsSupportTests(BlackboxTestCase):
client_creds.set_krb5_fast_armor_credentials(device_creds, True)
target_creds = Credentials()
+ target_creds.set_secure_channel_type(SEC_CHAN_WKSTA)
target_creds.set_username(target_username)
target_creds.set_password(target_password)
target_creds.guess(lp)
diff --git a/python/samba/tests/krb5/etype_tests.py
b/python/samba/tests/krb5/etype_tests.py
index 7ac76f9e299..a9eed681fee 100755
--- a/python/samba/tests/krb5/etype_tests.py
+++ b/python/samba/tests/krb5/etype_tests.py
@@ -60,14 +60,6 @@ class EtypeTests(KdcTgsBaseTests):
self.do_asn1_print = global_asn1_print
self.do_hexdump = global_hexdump
- self.default_supported_enctypes = self.default_etypes
- if self.default_supported_enctypes is None:
- lp = self.get_lp()
- self.default_supported_enctypes = lp.get(
- 'kdc default domain supported enctypes')
- if self.default_supported_enctypes == 0:
- self.default_supported_enctypes = rc4_bit | aes256_sk_bit
-
def _server_creds(self, supported=None, force_nt4_hash=False,
account_type=None):
if account_type is None:
@@ -172,7 +164,7 @@ class EtypeTests(KdcTgsBaseTests):
if not supported_bits:
# If msDS-SupportedEncryptionTypes is missing or set to zero, the
# default value, provided by smb.conf, is assumed.
- supported_bits = self.default_supported_enctypes
+ supported_bits = self.default_supported_enctypes()
# If msDS-SupportedEncryptionTypes specifies only non-etype bits, we
# expect an error.
@@ -248,7 +240,7 @@ class EtypeTests(KdcTgsBaseTests):
if not supported_bits:
# If msDS-SupportedEncryptionTypes is missing or set to zero, the
# default value, provided by smb.conf, is assumed.
- supported_bits = self.default_supported_enctypes
+ supported_bits = self.default_supported_enctypes()
# If msDS-SupportedEncryptionTypes specifies only non-etype bits, we
# expect an error.
diff --git a/python/samba/tests/krb5/kdc_base_test.py
b/python/samba/tests/krb5/kdc_base_test.py
index 52484787253..3e27522d5bf 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -109,6 +109,8 @@ from samba.security import (
rc4_bit = security.KERB_ENCTYPE_RC4_HMAC_MD5
aes256_sk_bit = security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK
+aes128_bit = security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+aes256_bit = security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
import samba.tests.krb5.kcrypto as kcrypto
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
@@ -1647,6 +1649,21 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest):
return keys
+ def default_supported_enctypes(self):
+ default_supported_enctypes = self.default_etypes
+ if default_supported_enctypes is None:
+ lp = self.get_lp()
+ default_supported_enctypes = lp.get(
+ 'kdc default domain supported enctypes')
+ if default_supported_enctypes == 0:
+ if self.get_domain_functional_level() >=
DS_DOMAIN_FUNCTION_2008:
+ # AES keys are available.
+ default_supported_enctypes = aes128_bit | aes256_bit
+ else:
+ default_supported_enctypes = rc4_bit | aes256_sk_bit
+
+ return default_supported_enctypes
+
def creds_set_keys(self, creds, keys):
if keys is not None:
for enctype, key in keys.items():
@@ -1663,12 +1680,7 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest):
supported_enctypes = res[0].get('msDS-SupportedEncryptionTypes', idx=0)
if supported_enctypes is None:
- supported_enctypes = self.default_etypes
- if supported_enctypes is None:
- lp = self.get_lp()
- supported_enctypes = lp.get('kdc default domain supported
enctypes')
- if supported_enctypes == 0:
- supported_enctypes = rc4_bit | aes256_sk_bit
+ supported_enctypes = self.default_supported_enctypes()
supported_enctypes = int(supported_enctypes)
if extra_bits is not None:
diff --git a/selftest/knownfail_mit_kdc.d/etype
b/selftest/knownfail_mit_kdc.d/etype
index df6f73dce74..ba00ef8475a 100644
--- a/selftest/knownfail_mit_kdc.d/etype
+++ b/selftest/knownfail_mit_kdc.d/etype
@@ -131,7 +131,6 @@
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23__requested_dc_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23__requested_dc_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23__requested_dc_account_stored_rc4_only.promoted_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23__requested_member_account_stored_aes_rc4.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23__requested_member_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23__requested_member_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_0x0_supported_23__requested_member_account_stored_rc4_only.promoted_dc
@@ -2452,40 +2451,34 @@
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23__requested_dc_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23__requested_dc_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23__requested_dc_account_stored_rc4_only.promoted_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23__requested_member_account_stored_aes_rc4.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23__requested_member_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23__requested_member_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_as_None_supported_23__requested_member_account_stored_rc4_only.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_23_requested_dc_account_stored_rc4_only.promoted_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_23_requested_member_account_stored_aes_rc4.ad_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_23_requested_member_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_23_requested_member_account_stored_rc4_only.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_requested_dc_account_stored_rc4_only.promoted_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_requested_member_account_stored_aes_rc4.ad_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_requested_member_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_18_requested_member_account_stored_rc4_only.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_18_requested_dc_account_stored_rc4_only.promoted_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_18_requested_member_account_stored_aes_rc4.ad_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_18_requested_member_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_18_requested_member_account_stored_rc4_only.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_requested_dc_account_stored_rc4_only.promoted_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_requested_member_account_stored_aes_rc4.ad_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_requested_member_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17_23_requested_member_account_stored_rc4_only.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17__requested_dc_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17__requested_dc_account_stored_rc4_only.promoted_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17__requested_member_account_stored_aes_rc4.ad_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17__requested_member_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17__requested_member_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_17__requested_member_account_stored_rc4_only.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_23_17_18_requested_member_account_stored_aes_rc4.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_23_17_requested_member_account_stored_aes_rc4.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_23_18_17_requested_member_account_stored_aes_rc4.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_23_18_requested_member_account_stored_aes_rc4.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x0_supported_23__requested_member_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10000_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10000_supported_17_18_23_requested_dc_account_stored_rc4_only.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0x10000_supported_17_18_23_requested_member_account_stored_aes_rc4.ad_dc
@@ -3089,34 +3082,29 @@
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_0xC_supported_18__requested_member_account_stored_rc4_only.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_23_requested_dc_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_23_requested_dc_account_stored_rc4_only.promoted_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_23_requested_member_account_stored_aes_rc4.ad_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_23_requested_member_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_23_requested_member_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_23_requested_member_account_stored_rc4_only.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_requested_dc_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_requested_dc_account_stored_rc4_only.promoted_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_requested_member_account_stored_aes_rc4.ad_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_requested_member_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_requested_member_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_18_requested_member_account_stored_rc4_only.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_18_requested_dc_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_18_requested_dc_account_stored_rc4_only.promoted_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_18_requested_member_account_stored_aes_rc4.ad_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_18_requested_member_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_18_requested_member_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_18_requested_member_account_stored_rc4_only.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_requested_dc_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_requested_dc_account_stored_rc4_only.promoted_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_requested_member_account_stored_aes_rc4.ad_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_requested_member_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_requested_member_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17_23_requested_member_account_stored_rc4_only.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17__requested_dc_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17__requested_dc_account_stored_rc4_only.promoted_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17__requested_member_account_stored_aes_rc4.ad_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17__requested_member_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17__requested_member_account_stored_rc4_only.ad_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_17__requested_member_account_stored_rc4_only.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_23_17_18_requested_member_account_stored_aes_rc4.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_23_17_requested_member_account_stored_aes_rc4.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_23_18_17_requested_member_account_stored_aes_rc4.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_23_18_requested_member_account_stored_aes_rc4.promoted_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_23__requested_member_account_stored_aes_rc4.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_tgs_aes_supported_aes_session_rc4_requested.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_tgs_aes_supported_rc4_requested.promoted_dc
^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_tgs_rc4_supported_aes_requested.ad_dc
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 546c9c70db7..0a5a3a5c8bf 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -994,10 +994,10 @@ sub provision_raw_step2($$$)
my $cmd_env = $self->get_cmd_env_vars($ret);
- my $testallowed_account = "testallowed";
+ my $testallowed_account = "testallowed account";
my $samba_tool_cmd = ${cmd_env};
$samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
- . " user create --configfile=$ctx->{smb_conf} $testallowed_account
$ctx->{password}";
+ . " user create --configfile=$ctx->{smb_conf}
'$testallowed_account' $ctx->{password}";
unless (system($samba_tool_cmd) == 0) {
warn("Unable to add testallowed user: \n$samba_tool_cmd\n");
return undef;
@@ -1030,21 +1030,6 @@ sub provision_raw_step2($$$)
}
my $user_dn = "cn=$testallowed_account,cn=users,$base_dn";
- $testallowed_account = "testallowed account";
- open($ldif, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb")
- or die "Failed to run $ldbmodify: $!";
- print $ldif "dn: $user_dn
-changetype: modify
-replace: samAccountName
-samAccountName: $testallowed_account
--
-";
- close($ldif);
- unless ($? == 0) {
- warn("$ldbmodify failed: $?");
- return undef;
- }
-
open($ldif, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb")
or die "Failed to run $ldbmodify: $!";
print $ldif "dn: $user_dn
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index be495b2e2ee..bdd4509de49 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1941,11 +1941,16 @@ static krb5_error_code
samba_kdc_message2entry(krb5_context context,
struct ldb_message_element *objectclasses;
struct ldb_val computer_val = data_blob_string_const("computer");
struct ldb_val gmsa_oc_val =
data_blob_string_const("msDS-GroupManagedServiceAccount");
+ int domain_functional_level = dsdb_functional_level(kdc_db_ctx->samdb);
uint32_t config_default_supported_enctypes =
lpcfg_kdc_default_domain_supported_enctypes(lp_ctx);
+ uint32_t domain_default_supported_enctypes =
+ domain_functional_level >= DS_DOMAIN_FUNCTION_2008
+ ? ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256
+ : ENC_RC4_HMAC_MD5 | ENC_HMAC_SHA1_96_AES256_SK;
uint32_t default_supported_enctypes =
- config_default_supported_enctypes != 0 ?
- config_default_supported_enctypes :
- ENC_RC4_HMAC_MD5 | ENC_HMAC_SHA1_96_AES256_SK;
+ config_default_supported_enctypes != 0
+ ? config_default_supported_enctypes
+ : domain_default_supported_enctypes;
uint32_t supported_enctypes
= ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes",
@@ -1982,7 +1987,7 @@ static krb5_error_code
samba_kdc_message2entry(krb5_context context,
supported_enctypes = default_supported_enctypes;
}
- if (dsdb_functional_level(kdc_db_ctx->samdb) >=
DS_DOMAIN_FUNCTION_2008) {
+ if (domain_functional_level >= DS_DOMAIN_FUNCTION_2008) {
domain_enctypes |= ENC_HMAC_SHA1_96_AES128 |
ENC_HMAC_SHA1_96_AES256;
}
--
Samba Shared Repository
