s4:kdc: Add comment about possible interaction between the krbtgt account and Group...

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed May 22 21:33:14 UTC 2024 on atb-devel-224

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 43b8a1c1863a64883f01ae7a6a6361fd2d553f0e..070a97ad74d11e12f2ced2ad5548416b002946d2 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1841,6 +1841,17 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
                         * against possible future attacks on weak
                         * keys.
                         */
+
+                       /*
+                        * The krbtgt account is never a Group Managed Service
+                        * Account, but a similar system might well be
+                        * implemented as a means of having the krbtgt’s keys
+                        * roll over automatically. In that case, thought might
+                        * be given as to how this security measure — of
+                        * stripping out weaker keys — would interact with key
+                        * management.
+                        */
+
                        entry->keys.len = 1;
                        if (entry->etypes != NULL) {
                                entry->etypes->len = MIN(entry->etypes->len, 1);