s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback

The handling for per encryption type salts was removed in
Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone
has such an installation that got constantly upgraded over 10 years
with an automatic password change nor rejoin. It also means
that the KDC only has salt-less arcfour-hmac-md5 key together
with the salted des keys. So there would only be a problem
if the client whould try to use a des key to contact the smb server.

Having this legacy code adds quite some complexity for no
good reason.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index b4bd76894e1f09d4dc6f1a96deedf7d47027f520..ba2311bfc58c41c43c1604dd3e26c1772a6d2f10 100644 (file)
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -272,27 +272,6 @@ int ads_kdestroy(const char *cc_name)
        return code;
 }
 
-/************************************************************************
- Routine to fetch the salting principal for a service.  Active
- Directory may use a non-obvious principal name to generate the salt
- when it determines the key to use for encrypting tickets for a service,
- and hopefully we detected that when we joined the domain.
- ************************************************************************/
-
-static char *kerberos_secrets_fetch_salting_principal(const char *service, int enctype)
-{
-       char *key = NULL;
-       char *ret = NULL;
-
-       if (asprintf(&key, "%s/%s/enctype=%d",
-                    SECRETS_SALTING_PRINCIPAL, service, enctype) == -1) {
-               return NULL;
-       }
-       ret = (char *)secrets_fetch(key, NULL);
-       SAFE_FREE(key);
-       return ret;
-}
-
 /************************************************************************
  Return the standard DES salt key
 ************************************************************************/
@@ -372,10 +351,8 @@ char* kerberos_secrets_fetch_des_salt( void )
 }
 
 /************************************************************************
- Routine to get the salting principal for this service.  This is 
- maintained for backwards compatibilty with releases prior to 3.0.24.
- Since we store the salting principal string only at join, we may have 
- to look for the older tdb keys.  Caller must free if return is not null.
+ Routine to get the salting principal for this service.
+ Caller must free if return is not null.
  ************************************************************************/
 
 char *kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
@@ -387,14 +364,8 @@ char *kerberos_fetch_salt_princ_for_host_princ(krb5_context context,
 
        salt_princ_s = kerberos_secrets_fetch_des_salt();
        if (salt_princ_s == NULL) {
-
-               /* look under the old key.  If this fails, just use the standard key */
-               salt_princ_s = kerberos_secrets_fetch_salting_principal(host_princ_s,
-                                                                       enctype);
-               if (salt_princ_s == NULL) {
-                       /* fall back to host/machine.realm@REALM */
-                       salt_princ_s = kerberos_standard_des_salt();
-               }
+               /* fall back to host/machine.realm@REALM */
+               salt_princ_s = kerberos_standard_des_salt();
        }
 
        return salt_princ_s;