From: Stefan Metzmacher Date: Wed, 9 Mar 2022 11:39:07 +0000 (+0100) Subject: s4:kdc: make use of the 'kdc enable fast' option X-Git-Tag: tevent-0.12.0~470 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2db7589d69abebad16b66d933114367f815d5fc3;p=thirdparty%2Fsamba.git s4:kdc: make use of the 'kdc enable fast' option This will useful to test against a KDC without FAST support and find/prevent regressions. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton --- diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index bea9ac8e1ae..62cc8bdef1d 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -449,11 +449,15 @@ static krb5_error_code samba_kdc_message2entry_keys(krb5_context context, *supported_enctypes_out = 0; if (rid == DOMAIN_RID_KRBTGT || is_rodc) { + bool enable_fast; + /* KDCs (and KDCs on RODCs) use AES */ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; - /* KDCs support FAST */ - supported_enctypes |= ENC_FAST_SUPPORTED; + enable_fast = lpcfg_kdc_enable_fast(kdc_db_ctx->lp_ctx); + if (enable_fast) { + supported_enctypes |= ENC_FAST_SUPPORTED; + } } else if (userAccountControl & (UF_PARTIAL_SECRETS_ACCOUNT|UF_SERVER_TRUST_ACCOUNT)) { /* DCs and RODCs comptuer accounts use AES */ supported_enctypes |= ENC_HMAC_SHA1_96_AES128 | ENC_HMAC_SHA1_96_AES256; diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c index ddf3b649da2..0d2a410fc3b 100644 --- a/source4/kdc/kdc-heimdal.c +++ b/source4/kdc/kdc-heimdal.c @@ -422,6 +422,13 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd) kdc_config->require_pac = true; + /* + * By default we enable RFC6113/FAST support, + * but we have an option to disable in order to + * test against a KDC with FAST support. + */ + kdc_config->enable_fast = lpcfg_kdc_enable_fast(task->lp_ctx); + /* * Match Windows and RFC6113 and Windows but break older * Heimdal clients.