Add back the AES patches which didn't make it in rc3.

samba-4.0.0rc4-add_aes_enctypes_to_krb5_conf.patch

@@ -0,0 +1,64 @@
+commit 06f3b1f0b0dcf9355a8d634cdb62f1f0a8ea4dbe
+Author:     Günther Deschner <gd@samba.org>
+AuthorDate: Mon Dec 19 10:52:58 2011 +0100
+Commit:     Günther Deschner <gd@samba.org>
+CommitDate: Tue Oct 2 16:22:31 2012 +0200
+
+    s3-kerberos: add aes enctypes to generated krb5.conf.
+    
+    Guenther
+---
+ source3/libads/kerberos.c | 29 ++++++++++++++++++++++++-----
+ 1 file changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
+index fd39394..3183e26 100644
+--- a/source3/libads/kerberos.c
++++ b/source3/libads/kerberos.c
+@@ -831,6 +831,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
+ 	int fd;
+ 	char *realm_upper = NULL;
+ 	bool result = false;
++	char *aes_enctypes = NULL;
+ 
+ 	if (!lp_create_krb5_conf()) {
+ 		return false;
+@@ -870,15 +871,33 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
+ 		goto done;
+ 	}
+ 
+-	/* FIXME: add aes here - gd */
++	aes_enctypes = talloc_strdup(fname, "");
++	if (aes_enctypes == NULL) {
++		goto done;
++	}
++
++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
++	aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 ");
++	if (aes_enctypes == NULL) {
++		goto done;
++	}
++#endif
++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
++	aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s", "aes128-cts-hmac-sha1-96");
++	if (aes_enctypes == NULL) {
++		goto done;
++	}
++#endif
++
+ 	file_contents = talloc_asprintf(fname,
+ 					"[libdefaults]\n\tdefault_realm = %s\n"
+-					"\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+-					"\tdefault_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+-					"\tpreferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
++					"\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
++					"\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
++					"\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
+ 					"[realms]\n\t%s = {\n"
+ 					"\t%s\t}\n",
+-					realm_upper, realm_upper, kdc_ip_string);
++					realm_upper, aes_enctypes, aes_enctypes, aes_enctypes,
++					realm_upper, kdc_ip_string);
+ 
+ 	if (!file_contents) {
+ 		goto done;

samba-4.0.0rc4-request_aes_krb_keys.patch

@@ -0,0 +1,65 @@
+commit eae33e96fcaa456830862325b91579faf2a96213
+Author:     Günther Deschner <gd@samba.org>
+AuthorDate: Thu Dec 15 18:12:41 2011 +0100
+Commit:     Günther Deschner <gd@samba.org>
+CommitDate: Tue Oct 2 16:22:31 2012 +0200
+
+    s3-krb5: use and request AES keys in kerberos operations.
+    
+    Guenther
+---
+ lib/krb5_wrap/krb5_samba.c       | 6 ++++++
+ source3/libads/kerberos.c        | 1 +
+ source3/libads/kerberos_keytab.c | 8 +++++++-
+ 3 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
+index 1a5a710..8037337 100644
+--- a/lib/krb5_wrap/krb5_samba.c
++++ b/lib/krb5_wrap/krb5_samba.c
+@@ -688,6 +688,12 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
+ 		ENCTYPE_ARCFOUR_HMAC,
+ 		ENCTYPE_DES_CBC_MD5,
+ 		ENCTYPE_DES_CBC_CRC,
++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
++		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
++#endif
++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
++		ENCTYPE_AES256_CTS_HMAC_SHA1_96,
++#endif
+ 		ENCTYPE_NULL};
+ 
+ 	initialize_krb5_error_table();
+diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
+index 1093d12..fd39394 100644
+--- a/source3/libads/kerberos.c
++++ b/source3/libads/kerberos.c
+@@ -870,6 +870,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
+ 		goto done;
+ 	}
+ 
++	/* FIXME: add aes here - gd */
+ 	file_contents = talloc_asprintf(fname,
+ 					"[libdefaults]\n\tdefault_realm = %s\n"
+ 					"\tdefault_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
+index eb2603b..b7df50d 100644
+--- a/source3/libads/kerberos_keytab.c
++++ b/source3/libads/kerberos_keytab.c
+@@ -263,9 +263,15 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char *srvPrinc)
+ 	krb5_keytab keytab = NULL;
+ 	krb5_data password;
+ 	krb5_kvno kvno;
+-        krb5_enctype enctypes[4] = {
++        krb5_enctype enctypes[6] = {
+ 		ENCTYPE_DES_CBC_CRC,
+ 		ENCTYPE_DES_CBC_MD5,
++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
++		ENCTYPE_AES128_CTS_HMAC_SHA1_96,
++#endif
++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
++		ENCTYPE_AES256_CTS_HMAC_SHA1_96,
++#endif
+ 		ENCTYPE_ARCFOUR_HMAC,
+ 		0
+ 	};

samba.spec

@@ -1,4 +1,4 @@
-%define main_release 154
+%define main_release 155
 
 %define samba_version 4.0.0
 %define talloc_version 2.0.7
@@ -65,6 +65,9 @@ Source100: smbprint
 Source200: README.dc
 Source201: README.downgrade
 
+Patch0: samba-4.0.0rc4-request_aes_krb_keys.patch
+Patch1: samba-4.0.0rc4-add_aes_enctypes_to_krb5_conf.patch
+
 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
 Requires(pre): /usr/sbin/groupadd
@@ -388,6 +391,9 @@ link against the SMB, RPC and other protocols.
 %prep
 %setup -q -n samba-%{version}%{pre_release}
 
+%patch0 -p1 -b .request_aes_krb_keys
+%patch1 -p1 -b .add_aes_enctypes_to_krb5_conf
+
 %build
 %global _talloc_lib ,talloc,pytalloc,pytalloc-util
 %global _tevent_lib ,tevent,pytevent
@@ -1273,6 +1279,9 @@ rm -rf %{buildroot}
 %endif # with_libwbclient
 
 %changelog
+* Tue Oct 16 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-155.rc3
+- Add back the AES patches which didn't make it in rc3.
+
 * Tue Oct 16 2012 - Andreas Schneider <asn@redhat.com> - 2:4.0.0-154.rc3
 - Update to 4.0.0rc3.
 - resolves: #805562 - Unable to share print queues.