94 lines
3.1 KiB
Diff
94 lines
3.1 KiB
Diff
From b018dd4ae5c176d61115b6ec7bf3e2bd19c559a4 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Mon, 18 Nov 2019 17:30:18 +0100
|
|
Subject: [PATCH 205/208] param: Do not use weak crypto for kerberos if
|
|
disallowed
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
.../smbdotconf/security/kerberosencryptiontypes.xml | 5 +++++
|
|
lib/param/loadparm.c | 10 ++++++++++
|
|
source3/include/proto.h | 1 +
|
|
source3/param/loadparm.c | 9 +++++++++
|
|
4 files changed, 25 insertions(+)
|
|
|
|
diff --git a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
|
|
index 2c3c6c5d5fc..5b0c1a40fcc 100644
|
|
--- a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
|
|
+++ b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
|
|
@@ -2,6 +2,7 @@
|
|
context="G"
|
|
type="enum"
|
|
enumlist="enum_kerberos_encryption_types_vals"
|
|
+ function="_kerberos_encryption_types"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
<para>This parameter determines the encryption types to use when operating
|
|
@@ -47,6 +48,10 @@
|
|
encryption. It is assumed of course that the weaker legacy
|
|
encryption types are acceptable for the setup.
|
|
</para>
|
|
+
|
|
+ <para>If weak cryptography is not allowed by the system, then this
|
|
+ variable will be forced to <constant>strong</constant>. In this case
|
|
+ it is not possible to override this value.</para>
|
|
</description>
|
|
|
|
<value type="default">all</value>
|
|
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
|
|
index 83dc111c05c..41a4c110195 100644
|
|
--- a/lib/param/loadparm.c
|
|
+++ b/lib/param/loadparm.c
|
|
@@ -96,6 +96,16 @@ int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx)
|
|
return lp_ctx->globals->rpc_high_port;
|
|
}
|
|
|
|
+int lpcfg_kerberos_encryption_types(struct loadparm_context *lp_ctx)
|
|
+{
|
|
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
|
+ return KERBEROS_ETYPES_STRONG;
|
|
+ }
|
|
+
|
|
+ return lpcfg__kerberos_encryption_types(lp_ctx);
|
|
+}
|
|
+
|
|
+
|
|
enum samba_weak_crypto lpcfg_weak_crypto(struct loadparm_context *lp_ctx)
|
|
{
|
|
if (lp_ctx->globals->weak_crypto == SAMBA_WEAK_CRYPTO_UNKNOWN) {
|
|
diff --git a/source3/include/proto.h b/source3/include/proto.h
|
|
index 956a328b626..aaa101fc63c 100644
|
|
--- a/source3/include/proto.h
|
|
+++ b/source3/include/proto.h
|
|
@@ -755,6 +755,7 @@ bool lp_widelinks(int );
|
|
int lp_rpc_low_port(void);
|
|
int lp_rpc_high_port(void);
|
|
bool lp_lanman_auth(void);
|
|
+int lp_kerberos_encryption_types(void);
|
|
enum samba_weak_crypto lp_weak_crypto(void);
|
|
|
|
int lp_wi_scan_global_parametrics(
|
|
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
|
index c1d02cf5bc6..e68140ae5f0 100644
|
|
--- a/source3/param/loadparm.c
|
|
+++ b/source3/param/loadparm.c
|
|
@@ -4679,6 +4679,15 @@ bool lp_lanman_auth(void)
|
|
}
|
|
}
|
|
|
|
+int lp_kerberos_encryption_types(void)
|
|
+{
|
|
+ if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
|
+ return KERBEROS_ETYPES_STRONG;
|
|
+ }
|
|
+
|
|
+ return lp__kerberos_encryption_types();
|
|
+}
|
|
+
|
|
struct loadparm_global * get_globals(void)
|
|
{
|
|
return &Globals;
|
|
--
|
|
2.23.0
|
|
|