1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
|
From 3828e798da8e0b44356039dd927f0624d5d182f9 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 6 Nov 2019 12:12:55 +0200
Subject: [PATCH] Remove DES support if MIT Kerberos version does not support
it
---
source3/libads/kerberos_keytab.c | 2 -
source3/passdb/machine_account_secrets.c | 36 ------------------
source4/auth/kerberos/kerberos.h | 2 +-
.../dsdb/samdb/ldb_modules/password_hash.c | 12 ++++++
source4/kdc/db-glue.c | 4 +-
source4/torture/rpc/remote_pac.c | 37 -------------------
testprogs/blackbox/dbcheck-oldrelease.sh | 2 +-
testprogs/blackbox/functionalprep.sh | 2 +-
.../blackbox/test_export_keytab_heimdal.sh | 16 ++++----
.../blackbox/upgradeprovision-oldrelease.sh | 2 +-
10 files changed, 26 insertions(+), 89 deletions(-)
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 97d5535041c..7d193e1a600 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -240,8 +240,6 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc, bool update_ads)
krb5_data password;
krb5_kvno kvno;
krb5_enctype enctypes[6] = {
- ENCTYPE_DES_CBC_CRC,
- ENCTYPE_DES_CBC_MD5,
#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
#endif
diff --git a/source3/passdb/machine_account_secrets.c b/source3/passdb/machine_account_secrets.c
index dfc21f295a1..efba80f1474 100644
--- a/source3/passdb/machine_account_secrets.c
+++ b/source3/passdb/machine_account_secrets.c
@@ -1031,7 +1031,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor
krb5_keyblock key;
DATA_BLOB aes_256_b = data_blob_null;
DATA_BLOB aes_128_b = data_blob_null;
- DATA_BLOB des_md5_b = data_blob_null;
bool ok;
#endif /* HAVE_ADS */
DATA_BLOB arc4_b = data_blob_null;
@@ -1177,32 +1176,6 @@ static int secrets_domain_info_kerberos_keys(struct secrets_domain_info1_passwor
return ENOMEM;
}
- krb5_ret = smb_krb5_create_key_from_string(krb5_ctx,
- NULL,
- &salt,
- &cleartext_utf8,
- ENCTYPE_DES_CBC_MD5,
- &key);
- if (krb5_ret != 0) {
- DBG_ERR("generation of a des-cbc-md5 key failed: %s\n",
- smb_get_krb5_error_message(krb5_ctx, krb5_ret, keys));
- krb5_free_context(krb5_ctx);
- TALLOC_FREE(keys);
- TALLOC_FREE(salt_data);
- return krb5_ret;
- }
- des_md5_b = data_blob_talloc(keys,
- KRB5_KEY_DATA(&key),
- KRB5_KEY_LENGTH(&key));
- krb5_free_keyblock_contents(krb5_ctx, &key);
- if (des_md5_b.data == NULL) {
- DBG_ERR("data_blob_talloc failed for des-cbc-md5.\n");
- krb5_free_context(krb5_ctx);
- TALLOC_FREE(keys);
- TALLOC_FREE(salt_data);
- return ENOMEM;
- }
-
krb5_free_context(krb5_ctx);
no_kerberos:
@@ -1227,15 +1200,6 @@ no_kerberos:
keys[idx].value = arc4_b;
idx += 1;
-#ifdef HAVE_ADS
- if (des_md5_b.length != 0) {
- keys[idx].keytype = ENCTYPE_DES_CBC_MD5;
- keys[idx].iteration_count = 4096;
- keys[idx].value = des_md5_b;
- idx += 1;
- }
-#endif /* HAVE_ADS */
-
p->salt_data = salt_data;
p->default_iteration_count = 4096;
p->num_keys = idx;
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 2ff9e3868af..1dd63acc838 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -50,7 +50,7 @@ struct keytab_container {
#define TOK_ID_GSS_GETMIC ((const uint8_t *)"\x01\x01")
#define TOK_ID_GSS_WRAP ((const uint8_t *)"\x02\x01")
-#define ENC_ALL_TYPES (ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5 | \
+#define ENC_ALL_TYPES (ENC_RC4_HMAC_MD5 | \
ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256)
#ifndef HAVE_KRB5_SET_DEFAULT_TGS_KTYPES
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 006e35c46d5..f16937c6cab 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -786,6 +786,7 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
* create ENCTYPE_DES_CBC_MD5 key out of
* the salt and the cleartext password
*/
+#ifdef SAMBA4_USES_HEIMDAL
krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
NULL,
&salt,
@@ -804,6 +805,11 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
KRB5_KEY_DATA(&key),
KRB5_KEY_LENGTH(&key));
krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+#else
+ /* MIT has dropped support for DES enctypes, store a random key instead. */
+ io->g.des_md5 = data_blob_talloc(io->ac, NULL, 8);
+ generate_secret_buffer(io->g.des_md5.data, 8);
+#endif
if (!io->g.des_md5.data) {
return ldb_oom(ldb);
}
@@ -812,6 +818,7 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
* create ENCTYPE_DES_CBC_CRC key out of
* the salt and the cleartext password
*/
+#ifdef SAMBA4_USES_HEIMDAL
krb5_ret = smb_krb5_create_key_from_string(io->smb_krb5_context->krb5_context,
NULL,
&salt,
@@ -830,6 +837,11 @@ static int setup_kerberos_keys(struct setup_password_fields_io *io)
KRB5_KEY_DATA(&key),
KRB5_KEY_LENGTH(&key));
krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+#else
+ /* MIT has dropped support for DES enctypes, store a random key instead. */
+ io->g.des_crc = data_blob_talloc(io->ac, NULL, 8);
+ generate_secret_buffer(io->g.des_crc.data, 8);
+#endif
if (!io->g.des_crc.data) {
return ldb_oom(ldb);
}
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index f62a633c6c7..023ae7b580d 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -359,10 +359,10 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context,
/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
if (userAccountControl & UF_USE_DES_KEY_ONLY) {
- supported_enctypes = ENC_CRC32|ENC_RSA_MD5;
+ supported_enctypes = 0;
} else {
/* Otherwise, add in the default enc types */
- supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
+ supported_enctypes |= ENC_RC4_HMAC_MD5;
}
/* Is this the krbtgt or a RODC krbtgt */
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index 7a5cda74b74..f12060e3c8f 100644
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -38,7 +38,6 @@
#define TEST_MACHINE_NAME_BDC "torturepacbdc"
#define TEST_MACHINE_NAME_WKSTA "torturepacwksta"
-#define TEST_MACHINE_NAME_WKSTA_DES "torturepacwkdes"
#define TEST_MACHINE_NAME_S4U2SELF_BDC "tests4u2selfbdc"
#define TEST_MACHINE_NAME_S4U2SELF_WKSTA "tests4u2selfwk"
@@ -581,39 +580,6 @@ static bool test_PACVerify_workstation_aes(struct torture_context *tctx,
NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES);
}
-static bool test_PACVerify_workstation_des(struct torture_context *tctx,
- struct dcerpc_pipe *p, struct cli_credentials *credentials, struct test_join *join_ctx)
-{
- struct samr_SetUserInfo r;
- union samr_UserInfo user_info;
- struct dcerpc_pipe *samr_pipe = torture_join_samr_pipe(join_ctx);
- struct smb_krb5_context *smb_krb5_context;
- krb5_error_code ret;
-
- ret = cli_credentials_get_krb5_context(popt_get_cmdline_credentials(),
- tctx->lp_ctx, &smb_krb5_context);
- torture_assert_int_equal(tctx, ret, 0, "cli_credentials_get_krb5_context() failed");
-
- if (smb_krb5_get_allowed_weak_crypto(smb_krb5_context->krb5_context) == FALSE) {
- torture_skip(tctx, "Cannot test DES without [libdefaults] allow_weak_crypto = yes");
- }
-
- /* Mark this workstation with DES-only */
- user_info.info16.acct_flags = ACB_USE_DES_KEY_ONLY | ACB_WSTRUST;
- r.in.user_handle = torture_join_samr_user_policy(join_ctx);
- r.in.level = 16;
- r.in.info = &user_info;
-
- torture_assert_ntstatus_ok(tctx, dcerpc_samr_SetUserInfo_r(samr_pipe->binding_handle, tctx, &r),
- "failed to set DES info account flags");
- torture_assert_ntstatus_ok(tctx, r.out.result,
- "failed to set DES into account flags");
-
- return test_PACVerify(tctx, p, credentials, SEC_CHAN_WKSTA,
- TEST_MACHINE_NAME_WKSTA_DES,
- NETLOGON_NEG_AUTH2_ADS_FLAGS);
-}
-
#ifdef SAMBA4_USES_HEIMDAL
static NTSTATUS check_primary_group_in_validation(TALLOC_CTX *mem_ctx,
uint16_t validation_level,
@@ -1000,9 +966,6 @@ struct torture_suite *torture_rpc_remote_pac(TALLOC_CTX *mem_ctx)
&ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA);
torture_rpc_tcase_add_test_creds(tcase, "verify-sig-aes", test_PACVerify_workstation_aes);
- tcase = torture_suite_add_machine_workstation_rpc_iface_tcase(suite, "netlogon-member-des",
- &ndr_table_netlogon, TEST_MACHINE_NAME_WKSTA_DES);
- torture_rpc_tcase_add_test_join(tcase, "verify-sig", test_PACVerify_workstation_des);
#ifdef SAMBA4_USES_HEIMDAL
tcase = torture_suite_add_machine_bdc_rpc_iface_tcase(suite, "netr-bdc-arcfour",
&ndr_table_netlogon, TEST_MACHINE_NAME_S4U2SELF_BDC);
diff --git a/testprogs/blackbox/dbcheck-oldrelease.sh b/testprogs/blackbox/dbcheck-oldrelease.sh
index 3d0ee2c165a..41c55178d4e 100755
--- a/testprogs/blackbox/dbcheck-oldrelease.sh
+++ b/testprogs/blackbox/dbcheck-oldrelease.sh
@@ -388,7 +388,7 @@ referenceprovision() {
ldapcmp() {
if [ x$RELEASE = x"release-4-0-0" ]; then
- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes
fi
}
diff --git a/testprogs/blackbox/functionalprep.sh b/testprogs/blackbox/functionalprep.sh
index 80e82252d45..1d37611ef7a 100755
--- a/testprogs/blackbox/functionalprep.sh
+++ b/testprogs/blackbox/functionalprep.sh
@@ -61,7 +61,7 @@ provision_2012r2() {
ldapcmp_ignore() {
# At some point we will need to ignore, but right now, it should be perfect
IGNORE_ATTRS=$1
- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/$2/private/sam.ldb tdb://$PREFIX_ABS/$3/private/sam.ldb --two --skip-missing-dn --filter msDS-SupportedEncryptionTypes
}
ldapcmp() {
diff --git a/testprogs/blackbox/test_export_keytab_heimdal.sh b/testprogs/blackbox/test_export_keytab_heimdal.sh
index cfa245fd4de..6a2595cd684 100755
--- a/testprogs/blackbox/test_export_keytab_heimdal.sh
+++ b/testprogs/blackbox/test_export_keytab_heimdal.sh
@@ -43,7 +43,7 @@ test_keytab() {
echo "test: $testname"
- NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "des|aes|arcfour")
+ NKEYS=$($VALGRIND $samba4ktutil $keytab | grep -i "$principal" | egrep -c "aes|arcfour")
status=$?
if [ x$status != x0 ]; then
echo "failure: $testname"
@@ -64,22 +64,22 @@ unc="//$SERVER/tmp"
testit "create user locally" $VALGRIND $PYTHON $newuser nettestuser $USERPASS $@ || failed=`expr $failed + 1`
testit "dump keytab from domain" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
-test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5
+test_keytab "read keytab from domain" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3
testit "dump keytab from domain (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab $@ || failed=`expr $failed + 1`
-test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 5
+test_keytab "read keytab from domain (2nd time)" "$PREFIX/tmpkeytab" "$SERVER\\\$" 3
testit "dump keytab from domain for cifs principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
-test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5
+test_keytab "read keytab from domain for cifs principal" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3
testit "dump keytab from domain for cifs principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-server --principal=cifs/$SERVER_FQDN $@ || failed=`expr $failed + 1`
-test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 5
+test_keytab "read keytab from domain for cifs principal (2nd time)" "$PREFIX/tmpkeytab-server" "cifs/$SERVER_FQDN" 3
testit "dump keytab from domain for user principal" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser $@ || failed=`expr $failed + 1`
-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5
+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3
testit "dump keytab from domain for user principal (2nd time)" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-2 --principal=nettestuser@$REALM $@ || failed=`expr $failed + 1`
-test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 5
+test_keytab "dump keytab from domain for user principal (2nd time)" "$PREFIX/tmpkeytab-2" "nettestuser@$REALM" 3
testit "dump keytab from domain for user principal with SPN as UPN" $VALGRIND $PYTHON $samba_tool domain exportkeytab $PREFIX/tmpkeytab-3 --principal=http/testupnspn.$DNSDOMAIN $@ || failed=`expr $failed + 1`
-test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 5
+test_keytab "dump keytab from domain for user principal" "$PREFIX/tmpkeytab-3" "http/testupnspn.$DNSDOMAIN@$REALM" 3
KRB5CCNAME="$PREFIX/tmpuserccache"
export KRB5CCNAME
diff --git a/testprogs/blackbox/upgradeprovision-oldrelease.sh b/testprogs/blackbox/upgradeprovision-oldrelease.sh
index 76276168011..208baa54a02 100755
--- a/testprogs/blackbox/upgradeprovision-oldrelease.sh
+++ b/testprogs/blackbox/upgradeprovision-oldrelease.sh
@@ -106,7 +106,7 @@ referenceprovision() {
ldapcmp() {
if [ x$RELEASE != x"alpha13" ]; then
- $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName
+ $PYTHON $BINDIR/samba-tool ldapcmp tdb://$PREFIX_ABS/${RELEASE}_upgrade_reference/private/sam.ldb tdb://$PREFIX_ABS/${RELEASE}_upgrade/private/sam.ldb --two --skip-missing-dn --filter=dnsRecord,displayName,msDS-SupportedEncryptionTypes
fi
}
--
2.23.0
|
