This will useful to test against a KDC without FAST support
and find/prevent regressions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
*supported_enctypes_out = 0;
if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
+ bool enable_fast;
+
/* KDCs (and KDCs on RODCs) use AES */
supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
- /* KDCs support FAST */
- supported_enctypes |= ENC_FAST_SUPPORTED;
+ enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx);
+ if (enable_fast) {
+ supported_enctypes |= ENC_FAST_SUPPORTED;
+ }
} else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) {
/* DCs and RODCs comptuer accounts use AES */
supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256;
kdc_config->require_pac = true;
+ /*
+ * By default we enable RFC6113/FAST support,
+ * but we have an option to disable in order to
+ * test against a KDC with FAST support.
+ */
+ kdc_config->enable_fast = lpcfg_kdc_enable_fast(task->lp_ctx);
+
/*
* Match Windows and RFC6113 and Windows but break older
* Heimdal clients.