git.samba.org - samba.git/commit - auth/kerberos/kerberos

author	Alexander Bokovoy <ab@samba.org>
	Thu, 22 Jun 2023 06:56:12 +0000 (09:56 +0300)
committer	Andrew Bartlett <abartlet@samba.org>
	Mon, 8 Apr 2024 03:00:39 +0000 (03:00 +0000)
commit	8e931fce126e8c1128da893c806702731c08758a
tree	a18fa3104eb7a0ccaf445fbdc0f29defdc46ef4a	tree
parent	2ecb69d9b7f26777d45b6921ccc9d3bfffa3af0a	commit \| diff

Do not fail checksums for RFC8009 types

While Active Directory does not support yet RFC 8009 encryption and
checksum types, it is possible to verify these checksums when running
with both MIT Kerberos and Heimdal Kerberos. This matters for FreeIPA
domain controller which uses them by default.

[2023/06/16 21:51:04.923873, 10, pid=51149, effective(0, 0), real(0, 0)]
../../lib/krb5_wrap/krb5_samba.c:1496(smb_krb5_kt_open_relative)
  smb_krb5_open_keytab: resolving: FILE:/etc/samba/samba.keytab
[2023/06/16 21:51:04.924196,  2, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:66(check_pac_checksum)
  check_pac_checksum: Checksum Type 20 is not supported
[2023/06/16 21:51:04.924228,  5, pid=51149, effective(0, 0), real(0, 0),
class=auth] ../../auth/kerberos/kerberos_pac.c:353(kerberos_decode_pac)
  PAC Decode: Failed to verify the service signature: Invalid argument

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/kerberos/kerberos_pac.c		diff \| blob \| history
lib/krb5_wrap/krb5_samba.h		diff \| blob \| history