diff --git a/samba-4.0.0rc4-add_aes_enctypes_to_krb5_conf.patch b/samba-4.0.0rc4-add_aes_enctypes_to_krb5_conf.patch new file mode 100644 index 0000000..f34cef2 --- /dev/null +++ b/samba-4.0.0rc4-add_aes_enctypes_to_krb5_conf.patch @@ -0,0 +1,64 @@ +commit 06f3b1f0b0dcf9355a8d634cdb62f1f0a8ea4dbe +Author: Günther Deschner +AuthorDate: Mon Dec 19 10:52:58 2011 +0100 +Commit: Günther Deschner +CommitDate: Tue Oct 2 16:22:31 2012 +0200 + + s3-kerberos: add aes enctypes to generated krb5.conf. + + Guenther +--- + source3/libads/kerberos.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index fd39394..3183e26 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -831,6 +831,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, + int fd; + char *realm_upper = NULL; + bool result = false; ++ char *aes_enctypes = NULL; + + if (!lp_create_krb5_conf()) { + return false; +@@ -870,15 +871,33 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, + goto done; + } + +- /* FIXME: add aes here - gd */ ++ aes_enctypes = talloc_strdup(fname, ""); ++ if (aes_enctypes == NULL) { ++ goto done; ++ } ++ ++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 ++ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 "); ++ if (aes_enctypes == NULL) { ++ goto done; ++ } ++#endif ++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 ++ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes128-cts-hmac-sha1-96"); ++ if (aes_enctypes == NULL) { ++ goto done; ++ } ++#endif ++ + file_contents = talloc_asprintf(fname, + "[libdefaults]\n\tdefault_realm = %s\n" +- "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" +- "\tdefault_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" +- "\tpreferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" ++ "\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" ++ "\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" ++ "\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" + "[realms]\n\t%s = {\n" + "\t%s\t}\n", +- realm_upper, realm_upper, kdc_ip_string); ++ realm_upper, aes_enctypes, aes_enctypes, aes_enctypes, ++ realm_upper, kdc_ip_string); + + if (!file_contents) { + goto done; diff --git a/samba-4.0.0rc4-request_aes_krb_keys.patch b/samba-4.0.0rc4-request_aes_krb_keys.patch new file mode 100644 index 0000000..31391f8 --- /dev/null +++ b/samba-4.0.0rc4-request_aes_krb_keys.patch @@ -0,0 +1,65 @@ +commit eae33e96fcaa456830862325b91579faf2a96213 +Author: Günther Deschner +AuthorDate: Thu Dec 15 18:12:41 2011 +0100 +Commit: Günther Deschner +CommitDate: Tue Oct 2 16:22:31 2012 +0200 + + s3-krb5: use and request AES keys in kerberos operations. + + Guenther +--- + lib/krb5_wrap/krb5_samba.c | 6 ++++++ + source3/libads/kerberos.c | 1 + + source3/libads/kerberos_keytab.c | 8 +++++++- + 3 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c +index 1a5a710..8037337 100644 +--- a/lib/krb5_wrap/krb5_samba.c ++++ b/lib/krb5_wrap/krb5_samba.c +@@ -688,6 +688,12 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx, + ENCTYPE_ARCFOUR_HMAC, + ENCTYPE_DES_CBC_MD5, + ENCTYPE_DES_CBC_CRC, ++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 ++ ENCTYPE_AES128_CTS_HMAC_SHA1_96, ++#endif ++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 ++ ENCTYPE_AES256_CTS_HMAC_SHA1_96, ++#endif + ENCTYPE_NULL}; + + initialize_krb5_error_table(); +diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c +index 1093d12..fd39394 100644 +--- a/source3/libads/kerberos.c ++++ b/source3/libads/kerberos.c +@@ -870,6 +870,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, + goto done; + } + ++ /* FIXME: add aes here - gd */ + file_contents = talloc_asprintf(fname, + "[libdefaults]\n\tdefault_realm = %s\n" + "\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" +diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c +index eb2603b..b7df50d 100644 +--- a/source3/libads/kerberos_keytab.c ++++ b/source3/libads/kerberos_keytab.c +@@ -263,9 +263,15 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc) + krb5_keytab keytab = NULL; + krb5_data password; + krb5_kvno kvno; +- krb5_enctype enctypes[4] = { ++ krb5_enctype enctypes[6] = { + ENCTYPE_DES_CBC_CRC, + ENCTYPE_DES_CBC_MD5, ++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 ++ ENCTYPE_AES128_CTS_HMAC_SHA1_96, ++#endif ++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 ++ ENCTYPE_AES256_CTS_HMAC_SHA1_96, ++#endif + ENCTYPE_ARCFOUR_HMAC, + 0 + }; diff --git a/samba.spec b/samba.spec index 4c1527c..bbd0683 100644 --- a/samba.spec +++ b/samba.spec @@ -1,4 +1,4 @@ -%define main_release 154 +%define main_release 155 %define samba_version 4.0.0 %define talloc_version 2.0.7 @@ -65,6 +65,9 @@ Source100: smbprint Source200: README.dc Source201: README.downgrade +Patch0: samba-4.0.0rc4-request_aes_krb_keys.patch +Patch1: samba-4.0.0rc4-add_aes_enctypes_to_krb5_conf.patch + BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) Requires(pre): /usr/sbin/groupadd @@ -388,6 +391,9 @@ link against the SMB, RPC and other protocols. %prep %setup -q -n samba-%{version}%{pre_release} +%patch0 -p1 -b .request_aes_krb_keys +%patch1 -p1 -b .add_aes_enctypes_to_krb5_conf + %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util %global _tevent_lib ,tevent,pytevent @@ -1273,6 +1279,9 @@ rm -rf %{buildroot} %endif # with_libwbclient %changelog +* Tue Oct 16 2012 - Andreas Schneider - 2:4.0.0-155.rc3 +- Add back the AES patches which didn't make it in rc3. + * Tue Oct 16 2012 - Andreas Schneider - 2:4.0.0-154.rc3 - Update to 4.0.0rc3. - resolves: #805562 - Unable to share print queues.