s4:provision Add an msDS-SupportedEncryptionTypes entry to our DC

This ensures that our DC will use all the available encyption types.

(The KDC reads this entry to determine what the server supports)

Andrew Bartlett

diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 96c11a4ce1a36c6eda671bf072a6c2a4bface72c..7e3a7865d6fc78788961e11b1d7717aee0cbea73 100644 (file)
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -53,6 +53,9 @@ struct keytab_container {
 #define KRB5_KEY_DATA(k)       ((k)->contents)
 #endif /* HAVE_KRB5_KEYBLOCK_KEYVALUE */
 
+#define ENC_ALL_TYPES (ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5 |    \
+                      ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256)
+
 #ifndef HAVE_KRB5_SET_REAL_TIME
 krb5_error_code krb5_set_real_time(krb5_context context, int32_t seconds, int32_t microseconds);
 #endif

diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c
index 4060b327af3b8503927fc8bc74b200fd1774a007..6966762c14c419f3a7f88d27489dfd5843e64f76 100644 (file)
--- a/source4/dsdb/pydsdb.c
+++ b/source4/dsdb/pydsdb.c
@@ -24,7 +24,8 @@
 #include "lib/ldb/pyldb.h"
 #include "libcli/security/security.h"
 #include "librpc/ndr/libndr.h"
-
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
 /* FIXME: These should be in a header file somewhere, once we finish moving
  * away from SWIG .. */
 #define PyErr_LDB_OR_RAISE(py_ldb, ldb) \
@@ -578,4 +579,18 @@ void initdsdb(void)
                                           PyInt_FromLong(DS_DOMAIN_FUNCTION_2008));
        PyModule_AddObject(m, "DS_DOMAIN_FUNCTION_2008_R2",
                                           PyInt_FromLong(DS_DOMAIN_FUNCTION_2008_R2));
+
+       /* Kerberos encryption type constants */
+       PyModule_AddObject(m, "ENC_ALL_TYPES",
+                          PyInt_FromLong(ENC_ALL_TYPES));
+       PyModule_AddObject(m, "ENC_CRC32",
+                          PyInt_FromLong(ENC_CRC32));
+       PyModule_AddObject(m, "ENC_RSA_MD5",
+                          PyInt_FromLong(ENC_RSA_MD5));
+       PyModule_AddObject(m, "ENC_RC4_HMAC_MD5",
+                          PyInt_FromLong(ENC_RC4_HMAC_MD5));
+       PyModule_AddObject(m, "ENC_HMAC_SHA1_96_AES128",
+                          PyInt_FromLong(ENC_HMAC_SHA1_96_AES128));
+       PyModule_AddObject(m, "ENC_HMAC_SHA1_96_AES256",
+                          PyInt_FromLong(ENC_HMAC_SHA1_96_AES256));
 }

diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
index 14615d081904262e98505d48930074fc7a111cb8..131d4ffd6cc0642f031297e771728f0c2e48c706 100644 (file)
--- a/source4/scripting/python/samba/provision.py
+++ b/source4/scripting/python/samba/provision.py
@@ -43,7 +43,7 @@ from samba.auth import system_session, admin_session
 import samba
 from samba import version, Ldb, substitute_var, valid_netbios_name
 from samba import check_all_substituted, read_and_sub_file, setup_file
-from samba.dsdb import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008_R2
+from samba.dsdb import DS_DOMAIN_FUNCTION_2003, DS_DOMAIN_FUNCTION_2008_R2, ENC_ALL_TYPES
 from samba.dcerpc import security
 from samba.dcerpc.misc import SEC_CHAN_BDC, SEC_CHAN_WKSTA
 from samba.idmap import IDmapDB
@@ -1495,6 +1495,21 @@ def provision(setup_dir, logger, session_info,
                                 machinepass=machinepass,
                                 secure_channel_type=SEC_CHAN_BDC)
 
+            # Now set up the right msDS-SupportedEncryptionTypes into the DB
+            # In future, this might be determined from some configuration
+            kerberos_enctypes = str(ENC_ALL_TYPES)
+
+            try:
+                msg = ldb.Message(ldb.Dn(samdb, samdb.searchone("distinguishedName", expression="samAccountName=%s$" % names.netbiosname, scope=ldb.SCOPE_SUBTREE)))
+                msg["msDS-SupportedEncryptionTypes"] = ldb.MessageElement(elements=kerberos_enctypes, 
+                                                                          flags=ldb.FLAG_MOD_REPLACE, 
+                                                                          name="msDS-SupportedEncryptionTypes")
+                samdb.modify(msg)
+            except ldb.LdbError, (ldb.ERR_NO_SUCH_ATTRIBUTE, _):
+                # It might be that this attribute does not exist in this schema
+                pass
+
+
             if serverrole == "domain controller":
                 secretsdb_setup_dns(secrets_ldb, setup_path,
                                     paths.private_dir,