s3-param: add kerberos encryption types parameter

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
new file mode 100644 (file)
index 0000000..b19a8a8
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
@@ -0,0 +1,53 @@
+<samba:parameter name="kerberos encryption types"
+                 context="G"
+                 type="enum"
+                enumlist="enum_kerberos_encryption_types_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter determines the encryption types to use when operating
+    as a Kerberos client. Possible values are <emphasis>all</emphasis>,
+    <emphasis>strong</emphasis>, and <emphasis>legacy</emphasis>.
+    </para>
+
+    <para>Samba uses a Kerberos library (MIT or Heimdal) to obtain Kerberos
+    tickets. This library is normally configured outside of Samba, using
+    the krb5.conf file. This file may also include directives to configure
+    the encryption types to be used. However, Samba implements Active Directory
+    protocols and algorithms to locate a domain controller. In order to
+    force the Kerberos library into using the correct domain controller,
+    some Samba processes, such as
+    <citerefentry><refentrytitle>winbindd</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry> and
+    <citerefentry><refentrytitle>net</refentrytitle>
+    <manvolnum>8</manvolnum></citerefentry>, build a private krb5.conf
+    file for use by the Kerberos library while being invoked from Samba.
+    This private file controls all aspects of the Kerberos library operation,
+    and this parameter controls how the encryption types are configured
+    within this generated file, and therefore also controls the encryption
+    types negotiable by Samba.
+    </para>
+
+    <para>When set to <constant>all</constant>, all active directory
+    encryption types are allowed.
+    </para>
+
+    <para>When set to <constant>strong</constant>, only AES-based encyption
+    types are offered. This can be used in hardened environments to prevent
+    downgrade attacks.
+    </para>
+
+    <para>When set to <constant>legacy</constant>, only RC4-HMAC-MD5
+    is allowed. Avoiding AES this way has one a very specific use.
+    Normally, the encryption type is negotiated between the peers.
+    However, there is one scenario in which a Windows read-only domain
+    controller (RODC) advertises AES encryption, but then proxies the
+    request to a writeable DC which may not support AES encryption,
+    leading to failure of the handshake. Setting this parameter to
+    <constant>legacy</constant> would cause samba not to negotiate AES
+    encryption. It is assumed of course that the weaker legacy
+    encryption types are acceptable for the setup.
+    </para>
+</description>
+
+<value type="default">all</value>
+</samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 5f4610ead7e983c1bab8910a58c7171c6bdfe89a..6aa757f7c6bb23ab35778ff093b3e77dbbf7b9bc 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2900,6 +2900,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
        lpcfg_do_global_parameter(lp_ctx, "smb2 leases", "yes");
 
+       lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all");
+
        /* Allow modules to adjust defaults */
        for (defaults_hook = defaults_hooks; defaults_hook;
                 defaults_hook = defaults_hook->next) {

diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index aa256c17afda3481baffa4dce78c9be6ffbe2c1e..d8f69753ad4f4d4879b3b578747845b52bcfb61b 100644 (file)
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -178,6 +178,10 @@ struct file_lists {
 #define KERBEROS_VERIFY_DEDICATED_KEYTAB 2
 #define KERBEROS_VERIFY_SECRETS_AND_KEYTAB 3
 
+#define KERBEROS_ETYPES_ALL 0
+#define KERBEROS_ETYPES_STRONG 1
+#define KERBEROS_ETYPES_LEGACY 2
+
 /* ACL compatibility */
 enum acl_compatibility {ACL_COMPAT_AUTO, ACL_COMPAT_WINNT, ACL_COMPAT_WIN2K};
 

diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index d8d9144b70cf3bac68f8c874578453cd32035d26..c8520d29c5575638edbd6e9b9850e739fe68e58c 100644 (file)
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -208,6 +208,15 @@ static const struct enum_list enum_kerberos_method[] = {
        {-1, NULL}
 };
 
+/* Kerberos encryption types selection options */
+
+static const struct enum_list enum_kerberos_encryption_types_vals[] = {
+       {KERBEROS_ETYPES_ALL, "all"},
+       {KERBEROS_ETYPES_STRONG, "strong"},
+       {KERBEROS_ETYPES_LEGACY, "legacy"},
+       {-1, NULL}
+};
+
 static const struct enum_list enum_printing[] = {
        {PRINT_SYSV, "sysv"},
        {PRINT_AIX, "aix"},