|
|
59dcbd |
From cc3ef52884a48863a81acbfc741735fe09cd85f7 Mon Sep 17 00:00:00 2001
|
|
|
59dcbd |
From: Sumit Bose <sbose@redhat.com>
|
|
|
59dcbd |
Date: Thu, 13 Jun 2019 18:27:49 +0200
|
|
|
59dcbd |
Subject: [PATCH 4/4] adenroll: use only enctypes permitted by Kerberos config
|
|
|
59dcbd |
|
|
|
59dcbd |
Realted to https://gitlab.freedesktop.org/realmd/adcli/issues/3
|
|
|
59dcbd |
---
|
|
|
59dcbd |
doc/adcli.xml | 10 ++++++++++
|
|
|
59dcbd |
library/adenroll.c | 22 +++++++++++++++++++---
|
|
|
59dcbd |
2 files changed, 29 insertions(+), 3 deletions(-)
|
|
|
59dcbd |
|
|
|
59dcbd |
diff --git a/doc/adcli.xml b/doc/adcli.xml
|
|
|
59dcbd |
index 9605b4a..094f577 100644
|
|
|
59dcbd |
--- a/doc/adcli.xml
|
|
|
59dcbd |
+++ b/doc/adcli.xml
|
|
|
59dcbd |
@@ -342,6 +342,11 @@ Password for Administrator:
|
|
|
59dcbd |
</varlistentry>
|
|
|
59dcbd |
</variablelist>
|
|
|
59dcbd |
|
|
|
59dcbd |
+ <para>If supported on the AD side the
|
|
|
59dcbd |
+ <option>msDS-supportedEncryptionTypes</option> attribute will be set as
|
|
|
59dcbd |
+ well. Either the current value or the default list of AD's supported
|
|
|
59dcbd |
+ encryption types filtered by the permitted encryption types of the
|
|
|
59dcbd |
+ client's Kerberos configuration are written.</para>
|
|
|
59dcbd |
</refsect1>
|
|
|
59dcbd |
|
|
|
59dcbd |
<refsect1 id='updating'>
|
|
|
59dcbd |
@@ -475,6 +480,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
|
|
|
59dcbd |
</varlistentry>
|
|
|
59dcbd |
</variablelist>
|
|
|
59dcbd |
|
|
|
59dcbd |
+ <para>If supported on the AD side the
|
|
|
59dcbd |
+ <option>msDS-supportedEncryptionTypes</option> attribute will be set as
|
|
|
59dcbd |
+ well. Either the current value or the default list of AD's supported
|
|
|
59dcbd |
+ encryption types filtered by the permitted encryption types of the
|
|
|
59dcbd |
+ client's Kerberos configuration are written.</para>
|
|
|
59dcbd |
</refsect1>
|
|
|
59dcbd |
|
|
|
59dcbd |
<refsect1 id='testjoin'>
|
|
|
59dcbd |
diff --git a/library/adenroll.c b/library/adenroll.c
|
|
|
59dcbd |
index 95c07cd..53cd812 100644
|
|
|
59dcbd |
--- a/library/adenroll.c
|
|
|
59dcbd |
+++ b/library/adenroll.c
|
|
|
59dcbd |
@@ -639,6 +639,7 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
|
|
|
59dcbd |
{
|
|
|
59dcbd |
char *value = NULL;
|
|
|
59dcbd |
krb5_enctype *read_enctypes;
|
|
|
59dcbd |
+ krb5_enctype *new_enctypes;
|
|
|
59dcbd |
char *new_value = NULL;
|
|
|
59dcbd |
int is_2008_or_later;
|
|
|
59dcbd |
LDAP *ldap;
|
|
|
59dcbd |
@@ -685,7 +686,14 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
|
|
|
59dcbd |
value = _adcli_krb5_format_enctypes (v51_earlier_enctypes);
|
|
|
59dcbd |
}
|
|
|
59dcbd |
|
|
|
59dcbd |
- new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll));
|
|
|
59dcbd |
+ new_enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
|
|
|
59dcbd |
+ if (new_enctypes == NULL) {
|
|
|
59dcbd |
+ _adcli_warn ("No permitted encryption type found.");
|
|
|
59dcbd |
+ return ADCLI_ERR_UNEXPECTED;
|
|
|
59dcbd |
+ }
|
|
|
59dcbd |
+
|
|
|
59dcbd |
+ new_value = _adcli_krb5_format_enctypes (new_enctypes);
|
|
|
59dcbd |
+ krb5_free_enctypes (adcli_conn_get_krb5_context (enroll->conn), new_enctypes);
|
|
|
59dcbd |
if (new_value == NULL) {
|
|
|
59dcbd |
free (value);
|
|
|
59dcbd |
_adcli_warn ("The encryption types desired are not available in active directory");
|
|
|
59dcbd |
@@ -1758,7 +1766,11 @@ add_principal_to_keytab (adcli_enroll *enroll,
|
|
|
59dcbd |
enroll->keytab_name);
|
|
|
59dcbd |
}
|
|
|
59dcbd |
|
|
|
59dcbd |
- enctypes = adcli_enroll_get_keytab_enctypes (enroll);
|
|
|
59dcbd |
+ enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
|
|
|
59dcbd |
+ if (enctypes == NULL) {
|
|
|
59dcbd |
+ _adcli_warn ("No permitted encryption type found.");
|
|
|
59dcbd |
+ return ADCLI_ERR_UNEXPECTED;
|
|
|
59dcbd |
+ }
|
|
|
59dcbd |
|
|
|
59dcbd |
if (flags & ADCLI_ENROLL_PASSWORD_VALID) {
|
|
|
59dcbd |
code = _adcli_krb5_keytab_copy_entries (k5, enroll->keytab, principal,
|
|
|
59dcbd |
@@ -1774,7 +1786,10 @@ add_principal_to_keytab (adcli_enroll *enroll,
|
|
|
59dcbd |
*/
|
|
|
59dcbd |
|
|
|
59dcbd |
salts = build_principal_salts (enroll, k5, principal);
|
|
|
59dcbd |
- return_unexpected_if_fail (salts != NULL);
|
|
|
59dcbd |
+ if (salts == NULL) {
|
|
|
59dcbd |
+ krb5_free_enctypes (k5, enctypes);
|
|
|
59dcbd |
+ return ADCLI_ERR_UNEXPECTED;
|
|
|
59dcbd |
+ }
|
|
|
59dcbd |
|
|
|
59dcbd |
if (*which_salt < 0) {
|
|
|
59dcbd |
code = _adcli_krb5_keytab_discover_salt (k5, principal, enroll->kvno, &password,
|
|
|
59dcbd |
@@ -1794,6 +1809,7 @@ add_principal_to_keytab (adcli_enroll *enroll,
|
|
|
59dcbd |
|
|
|
59dcbd |
free_principal_salts (k5, salts);
|
|
|
59dcbd |
}
|
|
|
59dcbd |
+ krb5_free_enctypes (k5, enctypes);
|
|
|
59dcbd |
|
|
|
59dcbd |
if (code != 0) {
|
|
|
59dcbd |
_adcli_err ("Couldn't add keytab entries: %s: %s",
|
|
|
59dcbd |
--
|
|
|
59dcbd |
2.21.0
|
|
|
59dcbd |
|