Blame SOURCES/0004-adenroll-use-only-enctypes-permitted-by-Kerberos-con.patch

59dcbd
From cc3ef52884a48863a81acbfc741735fe09cd85f7 Mon Sep 17 00:00:00 2001
59dcbd
From: Sumit Bose <sbose@redhat.com>
59dcbd
Date: Thu, 13 Jun 2019 18:27:49 +0200
59dcbd
Subject: [PATCH 4/4] adenroll: use only enctypes permitted by Kerberos config
59dcbd
59dcbd
Realted to https://gitlab.freedesktop.org/realmd/adcli/issues/3
59dcbd
---
59dcbd
 doc/adcli.xml      | 10 ++++++++++
59dcbd
 library/adenroll.c | 22 +++++++++++++++++++---
59dcbd
 2 files changed, 29 insertions(+), 3 deletions(-)
59dcbd
59dcbd
diff --git a/doc/adcli.xml b/doc/adcli.xml
59dcbd
index 9605b4a..094f577 100644
59dcbd
--- a/doc/adcli.xml
59dcbd
+++ b/doc/adcli.xml
59dcbd
@@ -342,6 +342,11 @@ Password for Administrator:
59dcbd
 		</varlistentry>
59dcbd
 	</variablelist>
59dcbd
 
59dcbd
+	<para>If supported on the AD side the
59dcbd
+	<option>msDS-supportedEncryptionTypes</option> attribute will be set as
59dcbd
+	well. Either the current value or the default list of AD's supported
59dcbd
+	encryption types filtered by the permitted encryption types of the
59dcbd
+	client's Kerberos configuration are written.</para>
59dcbd
 </refsect1>
59dcbd
 
59dcbd
 <refsect1 id='updating'>
59dcbd
@@ -475,6 +480,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123
59dcbd
 		</varlistentry>
59dcbd
 	</variablelist>
59dcbd
 
59dcbd
+	<para>If supported on the AD side the
59dcbd
+	<option>msDS-supportedEncryptionTypes</option> attribute will be set as
59dcbd
+	well. Either the current value or the default list of AD's supported
59dcbd
+	encryption types filtered by the permitted encryption types of the
59dcbd
+	client's Kerberos configuration are written.</para>
59dcbd
 </refsect1>
59dcbd
 
59dcbd
 <refsect1 id='testjoin'>
59dcbd
diff --git a/library/adenroll.c b/library/adenroll.c
59dcbd
index 95c07cd..53cd812 100644
59dcbd
--- a/library/adenroll.c
59dcbd
+++ b/library/adenroll.c
59dcbd
@@ -639,6 +639,7 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
59dcbd
 {
59dcbd
 	char *value = NULL;
59dcbd
 	krb5_enctype *read_enctypes;
59dcbd
+	krb5_enctype *new_enctypes;
59dcbd
 	char *new_value = NULL;
59dcbd
 	int is_2008_or_later;
59dcbd
 	LDAP *ldap;
59dcbd
@@ -685,7 +686,14 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype)
59dcbd
 		value = _adcli_krb5_format_enctypes (v51_earlier_enctypes);
59dcbd
 	}
59dcbd
 
59dcbd
-	new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll));
59dcbd
+	new_enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
59dcbd
+	if (new_enctypes == NULL) {
59dcbd
+		_adcli_warn ("No permitted encryption type found.");
59dcbd
+		return ADCLI_ERR_UNEXPECTED;
59dcbd
+	}
59dcbd
+
59dcbd
+	new_value = _adcli_krb5_format_enctypes (new_enctypes);
59dcbd
+	krb5_free_enctypes (adcli_conn_get_krb5_context (enroll->conn), new_enctypes);
59dcbd
 	if (new_value == NULL) {
59dcbd
 		free (value);
59dcbd
 		_adcli_warn ("The encryption types desired are not available in active directory");
59dcbd
@@ -1758,7 +1766,11 @@ add_principal_to_keytab (adcli_enroll *enroll,
59dcbd
 		             enroll->keytab_name);
59dcbd
 	}
59dcbd
 
59dcbd
-	enctypes = adcli_enroll_get_keytab_enctypes (enroll);
59dcbd
+	enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll);
59dcbd
+	if (enctypes == NULL) {
59dcbd
+		_adcli_warn ("No permitted encryption type found.");
59dcbd
+		return ADCLI_ERR_UNEXPECTED;
59dcbd
+	}
59dcbd
 
59dcbd
 	if (flags & ADCLI_ENROLL_PASSWORD_VALID) {
59dcbd
 		code = _adcli_krb5_keytab_copy_entries (k5, enroll->keytab, principal,
59dcbd
@@ -1774,7 +1786,10 @@ add_principal_to_keytab (adcli_enroll *enroll,
59dcbd
 		 */
59dcbd
 
59dcbd
 		salts = build_principal_salts (enroll, k5, principal);
59dcbd
-		return_unexpected_if_fail (salts != NULL);
59dcbd
+		if (salts == NULL) {
59dcbd
+			krb5_free_enctypes (k5, enctypes);
59dcbd
+			return ADCLI_ERR_UNEXPECTED;
59dcbd
+		}
59dcbd
 
59dcbd
 		if (*which_salt < 0) {
59dcbd
 			code = _adcli_krb5_keytab_discover_salt (k5, principal, enroll->kvno, &password,
59dcbd
@@ -1794,6 +1809,7 @@ add_principal_to_keytab (adcli_enroll *enroll,
59dcbd
 
59dcbd
 		free_principal_salts (k5, salts);
59dcbd
 	}
59dcbd
+	krb5_free_enctypes (k5, enctypes);
59dcbd
 
59dcbd
 	if (code != 0) {
59dcbd
 		_adcli_err ("Couldn't add keytab entries: %s: %s",
59dcbd
-- 
59dcbd
2.21.0
59dcbd