From: Jo Sutton Date: Thu, 9 May 2024 01:16:50 +0000 (+1200) Subject: s4:kdc: Add comment about possible interaction between the krbtgt account and Group... X-Git-Tag: tdb-1.4.11~574 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=589a9ea6767a8112baf664dd18c4aa1667e57d76;p=thirdparty%2Fsamba.git s4:kdc: Add comment about possible interaction between the krbtgt account and Group Managed Service Accounts Signed-off-by: Jo Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Wed May 22 21:33:14 UTC 2024 on atb-devel-224 --- diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 43b8a1c1863..070a97ad74d 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1841,6 +1841,17 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, * against possible future attacks on weak * keys. */ + + /* + * The krbtgt account is never a Group Managed Service + * Account, but a similar system might well be + * implemented as a means of having the krbtgt’s keys + * roll over automatically. In that case, thought might + * be given as to how this security measure — of + * stripping out weaker keys — would interact with key + * management. + */ + entry->keys.len = 1; if (entry->etypes != NULL) { entry->etypes->len = MIN(entry->etypes->len, 1);