Update to Samba 4.12.0rc1
Guenther
This commit is contained in:
parent
303a0a99be
commit
9775be183c
2
.gitignore
vendored
2
.gitignore
vendored
@ -189,3 +189,5 @@ samba-3.6.0pre1.tar.gz
|
|||||||
/samba-4.11.4.tar.asc
|
/samba-4.11.4.tar.asc
|
||||||
/samba-4.11.5.tar.xz
|
/samba-4.11.5.tar.xz
|
||||||
/samba-4.11.5.tar.asc
|
/samba-4.11.5.tar.asc
|
||||||
|
/samba-4.12.0rc1.tar.xz
|
||||||
|
/samba-4.12.0rc1.tar.asc
|
||||||
|
@ -1,371 +0,0 @@
|
|||||||
From 21073bff847fbc41d3dab0a649fa400d8188fa16 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Isaac Boukris <iboukris@gmail.com>
|
|
||||||
Date: Sat, 19 Oct 2019 23:48:19 +0300
|
|
||||||
Subject: [PATCH 1/2] smbdes: add des_crypt56_gnutls() using use DES-CBC with
|
|
||||||
zeroed IV
|
|
||||||
|
|
||||||
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
|
|
||||||
---
|
|
||||||
libcli/auth/smbdes.c | 47 ++++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 47 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c
|
|
||||||
index 6d9a6dc2ce8..37ede91ad22 100644
|
|
||||||
--- a/libcli/auth/smbdes.c
|
|
||||||
+++ b/libcli/auth/smbdes.c
|
|
||||||
@@ -23,6 +23,9 @@
|
|
||||||
#include "includes.h"
|
|
||||||
#include "libcli/auth/libcli_auth.h"
|
|
||||||
|
|
||||||
+#include <gnutls/gnutls.h>
|
|
||||||
+#include <gnutls/crypto.h>
|
|
||||||
+
|
|
||||||
/* NOTES:
|
|
||||||
|
|
||||||
This code makes no attempt to be fast! In fact, it is a very
|
|
||||||
@@ -273,6 +276,50 @@ static void str_to_key(const uint8_t *str,uint8_t *key)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8],
|
|
||||||
+ const uint8_t key_in[7], bool enc)
|
|
||||||
+{
|
|
||||||
+ static uint8_t iv8[8];
|
|
||||||
+ gnutls_datum_t iv = { iv8, 8 };
|
|
||||||
+ gnutls_datum_t key;
|
|
||||||
+ gnutls_cipher_hd_t ctx;
|
|
||||||
+ uint8_t key2[8];
|
|
||||||
+ uint8_t outb[8];
|
|
||||||
+ int ret;
|
|
||||||
+
|
|
||||||
+ memset(out, 0, 8);
|
|
||||||
+
|
|
||||||
+ str_to_key(key_in, key2);
|
|
||||||
+
|
|
||||||
+ key.data = key2;
|
|
||||||
+ key.size = 8;
|
|
||||||
+
|
|
||||||
+ ret = gnutls_global_init();
|
|
||||||
+ if (ret != 0) {
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ ret = gnutls_cipher_init(&ctx, GNUTLS_CIPHER_DES_CBC, &key, &iv);
|
|
||||||
+ if (ret != 0) {
|
|
||||||
+ return ret;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ memcpy(outb, in, 8);
|
|
||||||
+ if (enc) {
|
|
||||||
+ ret = gnutls_cipher_encrypt(ctx, outb, 8);
|
|
||||||
+ } else {
|
|
||||||
+ ret = gnutls_cipher_decrypt(ctx, outb, 8);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (ret == 0) {
|
|
||||||
+ memcpy(out, outb, 8);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ gnutls_cipher_deinit(ctx);
|
|
||||||
+
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
basic des crypt using a 56 bit (7 byte) key
|
|
||||||
*/
|
|
||||||
--
|
|
||||||
2.22.0
|
|
||||||
|
|
||||||
|
|
||||||
From 6d6651213f391840e3004ec3b055f8f25be9b360 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Isaac Boukris <iboukris@gmail.com>
|
|
||||||
Date: Mon, 21 Oct 2019 20:03:04 +0300
|
|
||||||
Subject: [PATCH 2/2] smbdes: use the new des_crypt56_gnutls()
|
|
||||||
|
|
||||||
and remove builtin DES crypto.
|
|
||||||
|
|
||||||
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
|
|
||||||
---
|
|
||||||
libcli/auth/smbdes.c | 258 +------------------------------------------
|
|
||||||
1 file changed, 1 insertion(+), 257 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/libcli/auth/smbdes.c b/libcli/auth/smbdes.c
|
|
||||||
index 37ede91ad22..7de05b75303 100644
|
|
||||||
--- a/libcli/auth/smbdes.c
|
|
||||||
+++ b/libcli/auth/smbdes.c
|
|
||||||
@@ -26,239 +26,6 @@
|
|
||||||
#include <gnutls/gnutls.h>
|
|
||||||
#include <gnutls/crypto.h>
|
|
||||||
|
|
||||||
-/* NOTES:
|
|
||||||
-
|
|
||||||
- This code makes no attempt to be fast! In fact, it is a very
|
|
||||||
- slow implementation
|
|
||||||
-
|
|
||||||
- This code is NOT a complete DES implementation. It implements only
|
|
||||||
- the minimum necessary for SMB authentication, as used by all SMB
|
|
||||||
- products (including every copy of Microsoft Windows95 ever sold)
|
|
||||||
-
|
|
||||||
- In particular, it can only do a unchained forward DES pass. This
|
|
||||||
- means it is not possible to use this code for encryption/decryption
|
|
||||||
- of data, instead it is only useful as a "hash" algorithm.
|
|
||||||
-
|
|
||||||
- There is no entry point into this code that allows normal DES operation.
|
|
||||||
-
|
|
||||||
- I believe this means that this code does not come under ITAR
|
|
||||||
- regulations but this is NOT a legal opinion. If you are concerned
|
|
||||||
- about the applicability of ITAR regulations to this code then you
|
|
||||||
- should confirm it for yourself (and maybe let me know if you come
|
|
||||||
- up with a different answer to the one above)
|
|
||||||
-*/
|
|
||||||
-
|
|
||||||
-
|
|
||||||
-static const uint8_t perm1[56] = {57, 49, 41, 33, 25, 17, 9,
|
|
||||||
- 1, 58, 50, 42, 34, 26, 18,
|
|
||||||
- 10, 2, 59, 51, 43, 35, 27,
|
|
||||||
- 19, 11, 3, 60, 52, 44, 36,
|
|
||||||
- 63, 55, 47, 39, 31, 23, 15,
|
|
||||||
- 7, 62, 54, 46, 38, 30, 22,
|
|
||||||
- 14, 6, 61, 53, 45, 37, 29,
|
|
||||||
- 21, 13, 5, 28, 20, 12, 4};
|
|
||||||
-
|
|
||||||
-static const uint8_t perm2[48] = {14, 17, 11, 24, 1, 5,
|
|
||||||
- 3, 28, 15, 6, 21, 10,
|
|
||||||
- 23, 19, 12, 4, 26, 8,
|
|
||||||
- 16, 7, 27, 20, 13, 2,
|
|
||||||
- 41, 52, 31, 37, 47, 55,
|
|
||||||
- 30, 40, 51, 45, 33, 48,
|
|
||||||
- 44, 49, 39, 56, 34, 53,
|
|
||||||
- 46, 42, 50, 36, 29, 32};
|
|
||||||
-
|
|
||||||
-static const uint8_t perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2,
|
|
||||||
- 60, 52, 44, 36, 28, 20, 12, 4,
|
|
||||||
- 62, 54, 46, 38, 30, 22, 14, 6,
|
|
||||||
- 64, 56, 48, 40, 32, 24, 16, 8,
|
|
||||||
- 57, 49, 41, 33, 25, 17, 9, 1,
|
|
||||||
- 59, 51, 43, 35, 27, 19, 11, 3,
|
|
||||||
- 61, 53, 45, 37, 29, 21, 13, 5,
|
|
||||||
- 63, 55, 47, 39, 31, 23, 15, 7};
|
|
||||||
-
|
|
||||||
-static const uint8_t perm4[48] = { 32, 1, 2, 3, 4, 5,
|
|
||||||
- 4, 5, 6, 7, 8, 9,
|
|
||||||
- 8, 9, 10, 11, 12, 13,
|
|
||||||
- 12, 13, 14, 15, 16, 17,
|
|
||||||
- 16, 17, 18, 19, 20, 21,
|
|
||||||
- 20, 21, 22, 23, 24, 25,
|
|
||||||
- 24, 25, 26, 27, 28, 29,
|
|
||||||
- 28, 29, 30, 31, 32, 1};
|
|
||||||
-
|
|
||||||
-static const uint8_t perm5[32] = { 16, 7, 20, 21,
|
|
||||||
- 29, 12, 28, 17,
|
|
||||||
- 1, 15, 23, 26,
|
|
||||||
- 5, 18, 31, 10,
|
|
||||||
- 2, 8, 24, 14,
|
|
||||||
- 32, 27, 3, 9,
|
|
||||||
- 19, 13, 30, 6,
|
|
||||||
- 22, 11, 4, 25};
|
|
||||||
-
|
|
||||||
-
|
|
||||||
-static const uint8_t perm6[64] ={ 40, 8, 48, 16, 56, 24, 64, 32,
|
|
||||||
- 39, 7, 47, 15, 55, 23, 63, 31,
|
|
||||||
- 38, 6, 46, 14, 54, 22, 62, 30,
|
|
||||||
- 37, 5, 45, 13, 53, 21, 61, 29,
|
|
||||||
- 36, 4, 44, 12, 52, 20, 60, 28,
|
|
||||||
- 35, 3, 43, 11, 51, 19, 59, 27,
|
|
||||||
- 34, 2, 42, 10, 50, 18, 58, 26,
|
|
||||||
- 33, 1, 41, 9, 49, 17, 57, 25};
|
|
||||||
-
|
|
||||||
-
|
|
||||||
-static const uint8_t sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1};
|
|
||||||
-
|
|
||||||
-static const uint8_t sbox[8][4][16] = {
|
|
||||||
- {{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7},
|
|
||||||
- {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8},
|
|
||||||
- {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0},
|
|
||||||
- {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}},
|
|
||||||
-
|
|
||||||
- {{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10},
|
|
||||||
- {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5},
|
|
||||||
- {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15},
|
|
||||||
- {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}},
|
|
||||||
-
|
|
||||||
- {{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8},
|
|
||||||
- {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1},
|
|
||||||
- {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7},
|
|
||||||
- {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}},
|
|
||||||
-
|
|
||||||
- {{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15},
|
|
||||||
- {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9},
|
|
||||||
- {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4},
|
|
||||||
- {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}},
|
|
||||||
-
|
|
||||||
- {{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9},
|
|
||||||
- {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6},
|
|
||||||
- {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14},
|
|
||||||
- {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}},
|
|
||||||
-
|
|
||||||
- {{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11},
|
|
||||||
- {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8},
|
|
||||||
- {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6},
|
|
||||||
- {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}},
|
|
||||||
-
|
|
||||||
- {{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1},
|
|
||||||
- {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6},
|
|
||||||
- {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2},
|
|
||||||
- {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}},
|
|
||||||
-
|
|
||||||
- {{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7},
|
|
||||||
- {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2},
|
|
||||||
- {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8},
|
|
||||||
- {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}};
|
|
||||||
-
|
|
||||||
-static void permute(char *out, const char *in, const uint8_t *p, int n)
|
|
||||||
-{
|
|
||||||
- int i;
|
|
||||||
- for (i=0;i<n;i++)
|
|
||||||
- out[i] = in[p[i]-1];
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-static void lshift(char *d, int count, int n)
|
|
||||||
-{
|
|
||||||
- char out[64];
|
|
||||||
- int i;
|
|
||||||
- for (i=0;i<n;i++)
|
|
||||||
- out[i] = d[(i+count)%n];
|
|
||||||
- for (i=0;i<n;i++)
|
|
||||||
- d[i] = out[i];
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-static void concat(char *out, char *in1, char *in2, int l1, int l2)
|
|
||||||
-{
|
|
||||||
- while (l1--)
|
|
||||||
- *out++ = *in1++;
|
|
||||||
- while (l2--)
|
|
||||||
- *out++ = *in2++;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-static void xor(char *out, char *in1, char *in2, int n)
|
|
||||||
-{
|
|
||||||
- int i;
|
|
||||||
- for (i=0;i<n;i++)
|
|
||||||
- out[i] = in1[i] ^ in2[i];
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-static void dohash(char *out, char *in, char *key, int forw)
|
|
||||||
-{
|
|
||||||
- int i, j, k;
|
|
||||||
- char pk1[56];
|
|
||||||
- char c[28];
|
|
||||||
- char d[28];
|
|
||||||
- char cd[56];
|
|
||||||
- char ki[16][48];
|
|
||||||
- char pd1[64];
|
|
||||||
- char l[32], r[32];
|
|
||||||
- char rl[64];
|
|
||||||
-
|
|
||||||
- permute(pk1, key, perm1, 56);
|
|
||||||
-
|
|
||||||
- for (i=0;i<28;i++)
|
|
||||||
- c[i] = pk1[i];
|
|
||||||
- for (i=0;i<28;i++)
|
|
||||||
- d[i] = pk1[i+28];
|
|
||||||
-
|
|
||||||
- for (i=0;i<16;i++) {
|
|
||||||
- lshift(c, sc[i], 28);
|
|
||||||
- lshift(d, sc[i], 28);
|
|
||||||
-
|
|
||||||
- concat(cd, c, d, 28, 28);
|
|
||||||
- permute(ki[i], cd, perm2, 48);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- permute(pd1, in, perm3, 64);
|
|
||||||
-
|
|
||||||
- for (j=0;j<32;j++) {
|
|
||||||
- l[j] = pd1[j];
|
|
||||||
- r[j] = pd1[j+32];
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- for (i=0;i<16;i++) {
|
|
||||||
- char er[48];
|
|
||||||
- char erk[48];
|
|
||||||
- char b[8][6];
|
|
||||||
- char cb[32];
|
|
||||||
- char pcb[32];
|
|
||||||
- char r2[32];
|
|
||||||
-
|
|
||||||
- permute(er, r, perm4, 48);
|
|
||||||
-
|
|
||||||
- xor(erk, er, ki[forw ? i : 15 - i], 48);
|
|
||||||
-
|
|
||||||
- for (j=0;j<8;j++)
|
|
||||||
- for (k=0;k<6;k++)
|
|
||||||
- b[j][k] = erk[j*6 + k];
|
|
||||||
-
|
|
||||||
- for (j=0;j<8;j++) {
|
|
||||||
- int m, n;
|
|
||||||
- m = (b[j][0]<<1) | b[j][5];
|
|
||||||
-
|
|
||||||
- n = (b[j][1]<<3) | (b[j][2]<<2) | (b[j][3]<<1) | b[j][4];
|
|
||||||
-
|
|
||||||
- for (k=0;k<4;k++)
|
|
||||||
- b[j][k] = (sbox[j][m][n] & (1<<(3-k)))?1:0;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- for (j=0;j<8;j++)
|
|
||||||
- for (k=0;k<4;k++)
|
|
||||||
- cb[j*4+k] = b[j][k];
|
|
||||||
- permute(pcb, cb, perm5, 32);
|
|
||||||
-
|
|
||||||
- xor(r2, l, pcb, 32);
|
|
||||||
-
|
|
||||||
- for (j=0;j<32;j++)
|
|
||||||
- l[j] = r[j];
|
|
||||||
-
|
|
||||||
- for (j=0;j<32;j++)
|
|
||||||
- r[j] = r2[j];
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- concat(rl, r, l, 32, 32);
|
|
||||||
-
|
|
||||||
- permute(out, rl, perm6, 64);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
static void str_to_key(const uint8_t *str,uint8_t *key)
|
|
||||||
{
|
|
||||||
int i;
|
|
||||||
@@ -325,30 +92,7 @@ static int des_crypt56_gnutls(uint8_t out[8], const uint8_t in[8],
|
|
||||||
*/
|
|
||||||
void des_crypt56(uint8_t out[8], const uint8_t in[8], const uint8_t key[7], int forw)
|
|
||||||
{
|
|
||||||
- int i;
|
|
||||||
- char outb[64];
|
|
||||||
- char inb[64];
|
|
||||||
- char keyb[64];
|
|
||||||
- uint8_t key2[8];
|
|
||||||
-
|
|
||||||
- str_to_key(key, key2);
|
|
||||||
-
|
|
||||||
- for (i=0;i<64;i++) {
|
|
||||||
- inb[i] = (in[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
|
|
||||||
- keyb[i] = (key2[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
|
|
||||||
- outb[i] = 0;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- dohash(outb, inb, keyb, forw);
|
|
||||||
-
|
|
||||||
- for (i=0;i<8;i++) {
|
|
||||||
- out[i] = 0;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- for (i=0;i<64;i++) {
|
|
||||||
- if (outb[i])
|
|
||||||
- out[i/8] |= (1<<(7-(i%8)));
|
|
||||||
- }
|
|
||||||
+ (void)des_crypt56_gnutls(out, in, key, forw);
|
|
||||||
}
|
|
||||||
|
|
||||||
void E_P16(const uint8_t *p14,uint8_t *p16)
|
|
||||||
--
|
|
||||||
2.22.0
|
|
||||||
|
|
@ -1,314 +0,0 @@
|
|||||||
From 3828e798da8e0b44356039dd927f0624d5d182f9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Isaac Boukris <iboukris@gmail.com>
|
|
||||||
Date: Wed, 6 Nov 2019 12:12:55 +0200
|
|
||||||
Subject: [PATCH] Remove DES support if MIT Kerberos version does not support
|
|
||||||
it
|
|
||||||
|
|
||||||
---
|
|
||||||
source3/libads/kerberos_keytab.c | 2 -
|
|
||||||
source3/passdb/machine_account_secrets.c | 36 ------------------
|
|
||||||
source4/auth/kerberos/kerberos.h | 2 +-
|
|
||||||
.../dsdb/samdb/ldb_modules/password_hash.c | 12 ++++++
|
|
||||||
source4/kdc/db-glue.c | 4 +-
|
|
||||||
source4/torture/rpc/remote_pac.c | 37 -------------------
|
|
||||||
testprogs/blackbox/dbcheck-oldrelease.sh | 2 +-
|
|
||||||
testprogs/blackbox/functionalprep.sh | 2 +-
|
|
||||||
.../blackbox/test_export_keytab_heimdal.sh | 16 ++++----
|
|
||||||
.../blackbox/upgradeprovision-oldrelease.sh | 2 +-
|
|
||||||
10 files changed, 26 insertions(+), 89 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
|
|
||||||
index 97d5535041c..7d193e1a600 100644
|
|
||||||
--- a/source3/libads/kerberos_keytab.c
|
|
||||||
+++ b/source3/libads/kerberos_keytab.c
|
|
||||||
@@ -240,8 +240,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
|
|
||||||
krb5_data password;
|
|
||||||
krb5_kvno kvno;
|
|
||||||
krb5_enctype enctypes[6] = {
|
|
||||||
- ENCTYPE_DES_CBC_CRC,
|
|
||||||
- ENCTYPE_DES_CBC_MD5,
|
|
||||||
#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
|
|
||||||
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
|
|
||||||
#endif
|
|
||||||
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
|
|
||||||
index dfc21f295a1..efba80f1474 100644
|
|
||||||
--- a/source3/passdb/machine_account_secrets.c
|
|
||||||
+++ b/source3/passdb/machine_account_secrets.c
|
|
||||||
@@ -1031,7 +1031,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor
|
|
||||||
krb5_keyblock key;
|
|
||||||
DATA_BLOB aes_256_b = data_blob_null;
|
|
||||||
DATA_BLOB aes_128_b = data_blob_null;
|
|
||||||
- DATA_BLOB des_md5_b = data_blob_null;
|
|
||||||
bool ok;
|
|
||||||
#endif /* HAVE_ADS */
|
|
||||||
DATA_BLOB arc4_b = data_blob_null;
|
|
||||||
@@ -1177,32 +1176,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor
|
|
||||||
return ENOMEM;
|
|
||||||
}
|
|
||||||
|
|
||||||
- krb5_ret = smb_krb5_create_key_from_string(krb5_ctx,
|
|
||||||
- NULL,
|
|
||||||
- &salt,
|
|
||||||
- &cleartext_utf8,
|
|
||||||
- ENCTYPE_DES_CBC_MD5,
|
|
||||||
- &key);
|
|
||||||
- if (krb5_ret != 0) {
|
|
||||||
- DBG_ERR("generation of a des-cbc-md5 key failed: %s\n",
|
|
||||||
- smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
|
|
||||||
- krb5_free_context(krb5_ctx);
|
|
||||||
- TALLOC_FREE(keys);
|
|
||||||
- TALLOC_FREE(salt_data);
|
|
||||||
- return krb5_ret;
|
|
||||||
- }
|
|
||||||
- des_md5_b = data_blob_talloc(keys,
|
|
||||||
- KRB5_KEY_DATA(&key),
|
|
||||||
- KRB5_KEY_LENGTH(&key));
|
|
||||||
- krb5_free_keyblock_contents(krb5_ctx, &key);
|
|
||||||
- if (des_md5_b.data == NULL) {
|
|
||||||
- DBG_ERR("data_blob_talloc failed for des-cbc-md5.\n");
|
|
||||||
- krb5_free_context(krb5_ctx);
|
|
||||||
- TALLOC_FREE(keys);
|
|
||||||
- TALLOC_FREE(salt_data);
|
|
||||||
- return ENOMEM;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
krb5_free_context(krb5_ctx);
|
|
||||||
no_kerberos:
|
|
||||||
|
|
||||||
@@ -1227,15 +1200,6 @@ no_kerberos:
|
|
||||||
keys[idx].value = arc4_b;
|
|
||||||
idx += 1;
|
|
||||||
|
|
||||||
-#ifdef HAVE_ADS
|
|
||||||
- if (des_md5_b.length != 0) {
|
|
||||||
- keys[idx].keytype = ENCTYPE_DES_CBC_MD5;
|
|
||||||
- keys[idx].iteration_count = 4096;
|
|
||||||
- keys[idx].value = des_md5_b;
|
|
||||||
- idx += 1;
|
|
||||||
- }
|
|
||||||
-#endif /* HAVE_ADS */
|
|
||||||
-
|
|
||||||
p->salt_data = salt_data;
|
|
||||||
p->default_iteration_count = 4096;
|
|
||||||
p->num_keys = idx;
|
|
||||||
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
|
|
||||||
index 2ff9e3868af..1dd63acc838 100644
|
|
||||||
--- a/source4/auth/kerberos/kerberos.h
|
|
||||||
+++ b/source4/auth/kerberos/kerberos.h
|
|
||||||
@@ -50,7 +50,7 @@ struct keytab_container {
|
|
||||||
#define TOK_ID_GSS_GETMIC ((const uint8_t *)"\x01\x01")
|
|
||||||
#define TOK_ID_GSS_WRAP ((const uint8_t *)"\x02\x01")
|
|
||||||
|
|
||||||
-#define ENC_ALL_TYPES (ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5 | \
|
|
||||||
+#define ENC_ALL_TYPES (ENC_RC4_HMAC_MD5 | \
|
|
||||||
ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256)
|
|
||||||
|
|
||||||
#ifndef HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
|
|
||||||
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
|
|
||||||
index 006e35c46d5..f16937c6cab 100644
|
|
||||||
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
|
|
||||||
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
|
|
||||||
@@ -786,6 +786,7 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
|
|
||||||
* create ENCTYPE_DES_CBC_MD5 key out of
|
|
||||||
* the salt and the cleartext password
|
|
||||||
*/
|
|
||||||
+#ifdef SAMBA4_USES_HEIMDAL
|
|
||||||
krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
|
|
||||||
NULL,
|
|
||||||
&salt,
|
|
||||||
@@ -804,6 +805,11 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
|
|
||||||
KRB5_KEY_DATA(&key),
|
|
||||||
KRB5_KEY_LENGTH(&key));
|
|
||||||
krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
|
|
||||||
+#else
|
|
||||||
+ /* MIT has dropped support for DES enctypes, store a random key instead. */
|
|
||||||
+ io->g.des_md5 = data_blob_talloc(io->ac, NULL, 8);
|
|
||||||
+ generate_secret_buffer(io->g.des_md5.data, 8);
|
|
||||||
+#endif
|
|
||||||
if (!io->g.des_md5.data) {
|
|
||||||
return ldb_oom(ldb);
|
|
||||||
}
|
|
||||||
@@ -812,6 +818,7 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
|
|
||||||
* create ENCTYPE_DES_CBC_CRC key out of
|
|
||||||
* the salt and the cleartext password
|
|
||||||
*/
|
|
||||||
+#ifdef SAMBA4_USES_HEIMDAL
|
|
||||||
krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
|
|
||||||
NULL,
|
|
||||||
&salt,
|
|
||||||
@@ -830,6 +837,11 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
|
|
||||||
KRB5_KEY_DATA(&key),
|
|
||||||
KRB5_KEY_LENGTH(&key));
|
|
||||||
krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
|
|
||||||
+#else
|
|
||||||
+ /* MIT has dropped support for DES enctypes, store a random key instead. */
|
|
||||||
+ io->g.des_crc = data_blob_talloc(io->ac, NULL, 8);
|
|
||||||
+ generate_secret_buffer(io->g.des_crc.data, 8);
|
|
||||||
+#endif
|
|
||||||
if (!io->g.des_crc.data) {
|
|
||||||
return ldb_oom(ldb);
|
|
||||||
}
|
|
||||||
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
|
|
||||||
index f62a633c6c7..023ae7b580d 100644
|
|
||||||
--- a/source4/kdc/db-glue.c
|
|
||||||
+++ b/source4/kdc/db-glue.c
|
|
||||||
@@ -359,10 +359,10 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
|
|
||||||
|
|
||||||
/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
|
|
||||||
if (userAccountControl & UF_USE_DES_KEY_ONLY) {
|
|
||||||
- supported_enctypes = ENC_CRC32|ENC_RSA_MD5;
|
|
||||||
+ supported_enctypes = 0;
|
|
||||||
} else {
|
|
||||||
/* Otherwise, add in the default enc types */
|
|
||||||
- supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
|
|
||||||
+ supported_enctypes |= ENC_RC4_HMAC_MD5;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Is this the krbtgt or a RODC krbtgt */
|
|
||||||
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
|
|
||||||
index 7a5cda74b74..f12060e3c8f 100644
|
|
||||||
--- a/source4/torture/rpc/remote_pac.c
|
|
||||||
+++ b/source4/torture/rpc/remote_pac.c
|
|
||||||
@@ -38,7 +38,6 @@
|
|
||||||
|
|
||||||
#define TEST_MACHINE_NAME_BDC "torturepacbdc"
|
|
||||||
#define TEST_MACHINE_NAME_WKSTA "torturepacwksta"
|
|
||||||
-#define TEST_MACHINE_NAME_WKSTA_DES "torturepacwkdes"
|
|
||||||
#define TEST_MACHINE_NAME_S4U2SELF_BDC "tests4u2selfbdc"
|
|
||||||
#define TEST_MACHINE_NAME_S4U2SELF_WKSTA "tests4u2selfwk"
|
|
||||||
|
|
||||||
@@ -581,39 +580,6 @@ static bool test_PACVerify_workstation_aes(struct torture_context *tctx,
|
|
||||||
NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
|
|
||||||
}
|
|
||||||
|
|
||||||
-static bool test_PACVerify_workstation_des(struct torture_context *tctx,
|
|
||||||
- struct dcerpc_pipe *p, struct cli_credentials *credentials, struct test_join *join_ctx)
|
|
||||||
-{
|
|
||||||
- struct samr_SetUserInfo r;
|
|
||||||
- union samr_UserInfo user_info;
|
|
||||||
- struct dcerpc_pipe *samr_pipe = torture_join_samr_pipe(join_ctx);
|
|
||||||
- struct smb_krb5_context *smb_krb5_context;
|
|
||||||
- krb5_error_code ret;
|
|
||||||
-
|
|
||||||
- ret = cli_credentials_get_krb5_context(popt_get_cmdline_credentials(),
|
|
||||||
- tctx->lp_ctx, &smb_krb5_context);
|
|
||||||
- torture_assert_int_equal(tctx, ret, 0, "cli_credentials_get_krb5_context() failed");
|
|
||||||
-
|
|
||||||
- if (smb_krb5_get_allowed_weak_crypto(smb_krb5_context->krb5_context) == FALSE) {
|
|
||||||
- torture_skip(tctx, "Cannot test DES without [libdefaults] allow_weak_crypto = yes");
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /* Mark this workstation with DES-only */
|
|
||||||
- user_info.info16.acct_flags = ACB_USE_DES_KEY_ONLY | ACB_WSTRUST;
|
|
||||||
- r.in.user_handle = torture_join_samr_user_policy(join_ctx);
|
|
||||||
- r.in.level = 16;
|
|
||||||
- r.in.info = &user_info;
|
|
||||||
-
|
|
||||||
- torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(samr_pipe->binding_handle, tctx, &r),
|
|
||||||
- "failed to set DES info account flags");
|
|
||||||
- torture_assert_ntstatus_ok(tctx, r.out.result,
|
|
||||||
- "failed to set DES into account flags");
|
|
||||||
-
|
|
||||||
- return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA,
|
|
||||||
- TEST_MACHINE_NAME_WKSTA_DES,
|
|
||||||
- NETLOGON_NEG_AUTH2_ADS_FLAGS);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
#ifdef SAMBA4_USES_HEIMDAL
|
|
||||||
static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx,
|
|
||||||
uint16_t validation_level,
|
|
||||||
@@ -1000,9 +966,6 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx)
|
|
||||||
&ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA);
|
|
||||||
torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes);
|
|
||||||
|
|
||||||
- tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member-des",
|
|
||||||
- &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES);
|
|
||||||
- torture_rpc_tcase_add_test_join(tcase, "verify-sig", test_PACVerify_workstation_des);
|
|
||||||
#ifdef SAMBA4_USES_HEIMDAL
|
|
||||||
tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour",
|
|
||||||
&ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_BDC);
|
|
||||||
diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh
|
|
||||||
index 3d0ee2c165a..41c55178d4e 100755
|
|
||||||
--- a/testprogs/blackbox/dbcheck-oldrelease.sh
|
|
||||||
+++ b/testprogs/blackbox/dbcheck-oldrelease.sh
|
|
||||||
@@ -388,7 +388,7 @@ referenceprovision() {
|
|
||||||
|
|
||||||
ldapcmp() {
|
|
||||||
if [ x$RELEASE = x"release-4-0-0" ]; then
|
|
||||||
- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName
|
|
||||||
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/testprogs/blackbox/functionalprep.sh b/testprogs/blackbox/functionalprep.sh
|
|
||||||
index 80e82252d45..1d37611ef7a 100755
|
|
||||||
--- a/testprogs/blackbox/functionalprep.sh
|
|
||||||
+++ b/testprogs/blackbox/functionalprep.sh
|
|
||||||
@@ -61,7 +61,7 @@ provision_2012r2() {
|
|
||||||
ldapcmp_ignore() {
|
|
||||||
# At some point we will need to ignore, but right now, it should be perfect
|
|
||||||
IGNORE_ATTRS=$1
|
|
||||||
- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn
|
|
||||||
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn --filter msDS-SupportedEncryptionTypes
|
|
||||||
}
|
|
||||||
|
|
||||||
ldapcmp() {
|
|
||||||
diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh
|
|
||||||
index cfa245fd4de..6a2595cd684 100755
|
|
||||||
--- a/testprogs/blackbox/test_export_keytab_heimdal.sh
|
|
||||||
+++ b/testprogs/blackbox/test_export_keytab_heimdal.sh
|
|
||||||
@@ -43,7 +43,7 @@ test_keytab() {
|
|
||||||
|
|
||||||
echo "test: $testname"
|
|
||||||
|
|
||||||
- NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "des|aes|arcfour")
|
|
||||||
+ NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "aes|arcfour")
|
|
||||||
status=$?
|
|
||||||
if [ x$status != x0 ]; then
|
|
||||||
echo "failure: $testname"
|
|
||||||
@@ -64,22 +64,22 @@ unc="//$SERVER/tmp"
|
|
||||||
testit "create user locally" $VALGRIND $PYTHON $newuser nettestuser $USERPASS $@ || failed=`expr $failed + 1`
|
|
||||||
|
|
||||||
testit "dump keytab from domain" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
|
|
||||||
-test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5
|
|
||||||
+test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3
|
|
||||||
testit "dump keytab from domain (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
|
|
||||||
-test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5
|
|
||||||
+test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3
|
|
||||||
|
|
||||||
testit "dump keytab from domain for cifs principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
|
|
||||||
-test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5
|
|
||||||
+test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3
|
|
||||||
testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
|
|
||||||
-test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5
|
|
||||||
+test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3
|
|
||||||
|
|
||||||
testit "dump keytab from domain for user principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1`
|
|
||||||
-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5
|
|
||||||
+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3
|
|
||||||
testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1`
|
|
||||||
-test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5
|
|
||||||
+test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3
|
|
||||||
|
|
||||||
testit "dump keytab from domain for user principal with SPN as UPN" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-3 --principal=http/testupnspn.$DNSDOMAIN $@ || failed=`expr $failed + 1`
|
|
||||||
-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 5
|
|
||||||
+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 3
|
|
||||||
|
|
||||||
KRB5CCNAME="$PREFIX/tmpuserccache"
|
|
||||||
export KRB5CCNAME
|
|
||||||
diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh
|
|
||||||
index 76276168011..208baa54a02 100755
|
|
||||||
--- a/testprogs/blackbox/upgradeprovision-oldrelease.sh
|
|
||||||
+++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh
|
|
||||||
@@ -106,7 +106,7 @@ referenceprovision() {
|
|
||||||
|
|
||||||
ldapcmp() {
|
|
||||||
if [ x$RELEASE != x"alpha13" ]; then
|
|
||||||
- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName
|
|
||||||
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.23.0
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
From 5a084994144704a6c146b94f8a22cf57ce08deab Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <ab@samba.org>
|
|
||||||
Date: Mon, 7 Oct 2019 18:24:28 +0300
|
|
||||||
Subject: [PATCH] samba-tool: create working private krb5.conf
|
|
||||||
|
|
||||||
DNS update tool uses private krb5.conf which should have enough details
|
|
||||||
to authenticate with GSS-TSIG when running nsupdate.
|
|
||||||
|
|
||||||
Unfortunately, the configuration we provide is not enough. We set
|
|
||||||
defaults to not lookup REALM via DNS but at the same time we don't
|
|
||||||
provide any realm definition. As result, MIT Kerberos cannot actually
|
|
||||||
find a working realm for Samba AD deployment because it cannot query DNS
|
|
||||||
for a realm discovery or pick it up from the configuration.
|
|
||||||
|
|
||||||
Extend private krb5.conf with a realm definition that will allow MIT
|
|
||||||
Kerberos to look up KDC over DNS.
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
|
||||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
||||||
---
|
|
||||||
source4/setup/krb5.conf | 8 ++++++++
|
|
||||||
1 file changed, 8 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/source4/setup/krb5.conf b/source4/setup/krb5.conf
|
|
||||||
index b1bf6cf907d..ad6f2818fb5 100644
|
|
||||||
--- a/source4/setup/krb5.conf
|
|
||||||
+++ b/source4/setup/krb5.conf
|
|
||||||
@@ -2,3 +2,11 @@
|
|
||||||
default_realm = ${REALM}
|
|
||||||
dns_lookup_realm = false
|
|
||||||
dns_lookup_kdc = true
|
|
||||||
+
|
|
||||||
+[realms]
|
|
||||||
+${REALM} = {
|
|
||||||
+ default_domain = ${DNSDOMAIN}
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+[domain_realm]
|
|
||||||
+ ${HOSTNAME} = ${REALM}
|
|
||||||
--
|
|
||||||
2.21.0
|
|
||||||
|
|
1457
samba.spec
1457
samba.spec
File diff suppressed because it is too large
Load Diff
4
sources
4
sources
@ -1,2 +1,2 @@
|
|||||||
SHA512 (samba-4.11.5.tar.xz) = 476a6f9104c4fe80ac6390c862403f0cb27be7ce4d70d510b773d9339f315fd88bcad82a087b4d5b1939eb3346b861fec3522faae92b1e13eb42fdc19425d48e
|
SHA512 (samba-4.12.0rc1.tar.xz) = 27417aaddde134b041b140bc1b792919bc2d0b686e63652f62848a9853deeceef263a06c38a63fd8775a30ffbe60dcd88028427a87460213c611a4f5701eeca2
|
||||||
SHA512 (samba-4.11.5.tar.asc) = 0cb45e512046c3668c64a5e1e80eb0d0200281093d1c6bd3f924a332c220c23c913b1333d9a2a2623d232d2fbe269baf2b5fce3b9f2a16d785bd84282255577b
|
SHA512 (samba-4.12.0rc1.tar.asc) = 9b8548c60d1a7aa7878ae2b17d1ef47658cddb653e7638921dddb49b2c2f9c05ae315dbdc9041f83e584655a5dd1256630e7c09e6aa7e4f870f72402e2a84c0c
|
||||||
|
Loading…
Reference in New Issue
Block a user