From: Stefan Metzmacher Date: Fri, 19 May 2017 14:01:55 +0000 (+0200) Subject: s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback X-Git-Tag: samba-4.5.13~64 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f4d1818e20d2a1db47589abb2dc7f6b236d32e0;p=thirdparty%2Fsamba.git s3:libads: remove kerberos_secrets_fetch_salting_principal() fallback The handling for per encryption type salts was removed in Samba 3.0.23a (Jul 21, 2006). It's very unlikely that someone has such an installation that got constantly upgraded over 10 years with an automatic password change nor rejoin. It also means that the KDC only has salt-less arcfour-hmac-md5 key together with the salted des keys. So there would only be a problem if the client whould try to use a des key to contact the smb server. Having this legacy code adds quite some complexity for no good reason. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12782 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 487b4717b58a6f1ba913708ce8419145b7f4fac8) --- diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index cd3291ac94c..690d699711f 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -361,27 +361,6 @@ int ads_kdestroy(const char *cc_name) return code; } -/************************************************************************ - Routine to fetch the salting principal for a service. Active - Directory may use a non-obvious principal name to generate the salt - when it determines the key to use for encrypting tickets for a service, - and hopefully we detected that when we joined the domain. - ************************************************************************/ - -static char *kerberos_secrets_fetch_salting_principal(const char *service, int enctype) -{ - char *key = NULL; - char *ret = NULL; - - if (asprintf(&key, "%s/%s/enctype=%d", - SECRETS_SALTING_PRINCIPAL, service, enctype) == -1) { - return NULL; - } - ret = (char *)secrets_fetch(key, NULL); - SAFE_FREE(key); - return ret; -} - /************************************************************************ Return the standard DES salt key ************************************************************************/ @@ -461,10 +440,8 @@ char* kerberos_secrets_fetch_des_salt( void ) } /************************************************************************ - Routine to get the salting principal for this service. This is - maintained for backwards compatibilty with releases prior to 3.0.24. - Since we store the salting principal string only at join, we may have - to look for the older tdb keys. Caller must free if return is not null. + Routine to get the salting principal for this service. + Caller must free if return is not null. ************************************************************************/ char *kerberos_fetch_salt_princ_for_host_princ(krb5_context context, @@ -476,14 +453,8 @@ char *kerberos_fetch_salt_princ_for_host_princ(krb5_context context, salt_princ_s = kerberos_secrets_fetch_des_salt(); if (salt_princ_s == NULL) { - - /* look under the old key. If this fails, just use the standard key */ - salt_princ_s = kerberos_secrets_fetch_salting_principal(host_princ_s, - enctype); - if (salt_princ_s == NULL) { - /* fall back to host/machine.realm@REALM */ - salt_princ_s = kerberos_standard_des_salt(); - } + /* fall back to host/machine.realm@REALM */ + salt_princ_s = kerberos_standard_des_salt(); } return salt_princ_s;