This ensures that our DC will use all the available encyption types.
(The KDC reads this entry to determine what the server supports)
Andrew Bartlett
#define KRB5_KEY_DATA(k) ((k)->contents)
#endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
+#define ENC_ALL_TYPES (ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5 | \
+ ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256)
+
#ifndef HAVE_KRB5_SET_REAL_TIME
krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
#endif
#include "lib/ldb/pyldb.h"
#include "libcli/security/security.h"
#include "librpc/ndr/libndr.h"
-
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
/* FIXME: These should be in a header file somewhere, once we finish moving
* away from SWIG .. */
#define PyErr_LDB_OR_RAISE(py_ldb, ldb) \
PyInt_FromLong(DS_DOMAIN_FUNCTION_2008));
PyModule_AddObject(m, "DS_DOMAIN_FUNCTION_2008_R2",
PyInt_FromLong(DS_DOMAIN_FUNCTION_2008_R2));
+
+ /* Kerberos encryption type constants */
+ PyModule_AddObject(m, "ENC_ALL_TYPES",
+ PyInt_FromLong(ENC_ALL_TYPES));
+ PyModule_AddObject(m, "ENC_CRC32",
+ PyInt_FromLong(ENC_CRC32));
+ PyModule_AddObject(m, "ENC_RSA_MD5",
+ PyInt_FromLong(ENC_RSA_MD5));
+ PyModule_AddObject(m, "ENC_RC4_HMAC_MD5",
+ PyInt_FromLong(ENC_RC4_HMAC_MD5));
+ PyModule_AddObject(m, "ENC_HMAC_SHA1_96_AES128",
+ PyInt_FromLong(ENC_HMAC_SHA1_96_AES128));
+ PyModule_AddObject(m, "ENC_HMAC_SHA1_96_AES256",
+ PyInt_FromLong(ENC_HMAC_SHA1_96_AES256));
}
import samba
from samba import version, Ldb, substitute_var, valid_netbios_name
from samba import check_all_substituted, read_and_sub_file, setup_file
-from samba.dsdb import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008_R2
+from samba.dsdb import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008_R2, ENC_ALL_TYPES
from samba.dcerpc import security
from samba.dcerpc.misc import SEC_CHAN_BDC, SEC_CHAN_WKSTA
from samba.idmap import IDmapDB
machinepass=machinepass,
secure_channel_type=SEC_CHAN_BDC)
+ # Now set up the right msDS-SupportedEncryptionTypes into the DB
+ # In future, this might be determined from some configuration
+ kerberos_enctypes = str(ENC_ALL_TYPES)
+
+ try:
+ msg = ldb.Message(ldb.Dn(samdb, samdb.searchone("distinguishedName", expression="samAccountName=%s$" % names.netbiosname, scope=ldb.SCOPE_SUBTREE)))
+ msg["msDS-SupportedEncryptionTypes"] = ldb.MessageElement(elements=kerberos_enctypes,
+ flags=ldb.FLAG_MOD_REPLACE,
+ name="msDS-SupportedEncryptionTypes")
+ samdb.modify(msg)
+ except ldb.LdbError, (ldb.ERR_NO_SUCH_ATTRIBUTE, _):
+ # It might be that this attribute does not exist in this schema
+ pass
+
+
if serverrole == "domain controller":
secretsdb_setup_dns(secrets_ldb, setup_path,
paths.private_dir,