From: Uri Simchoni Date: Sun, 8 May 2016 12:45:44 +0000 (+0300) Subject: s3-param: add kerberos encryption types parameter X-Git-Tag: tevent-0.9.30~185 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=513fa31c85650e0767e5dc1b3b94a4cc652030e6;p=thirdparty%2Fsamba.git s3-param: add kerberos encryption types parameter Signed-off-by: Uri Simchoni Reviewed-by: Jeremy Allison --- diff --git a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml new file mode 100644 index 00000000000..b19a8a83a67 --- /dev/null +++ b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml @@ -0,0 +1,53 @@ + + + This parameter determines the encryption types to use when operating + as a Kerberos client. Possible values are all, + strong, and legacy. + + + Samba uses a Kerberos library (MIT or Heimdal) to obtain Kerberos + tickets. This library is normally configured outside of Samba, using + the krb5.conf file. This file may also include directives to configure + the encryption types to be used. However, Samba implements Active Directory + protocols and algorithms to locate a domain controller. In order to + force the Kerberos library into using the correct domain controller, + some Samba processes, such as + winbindd + 8 and + net + 8, build a private krb5.conf + file for use by the Kerberos library while being invoked from Samba. + This private file controls all aspects of the Kerberos library operation, + and this parameter controls how the encryption types are configured + within this generated file, and therefore also controls the encryption + types negotiable by Samba. + + + When set to all, all active directory + encryption types are allowed. + + + When set to strong, only AES-based encyption + types are offered. This can be used in hardened environments to prevent + downgrade attacks. + + + When set to legacy, only RC4-HMAC-MD5 + is allowed. Avoiding AES this way has one a very specific use. + Normally, the encryption type is negotiated between the peers. + However, there is one scenario in which a Windows read-only domain + controller (RODC) advertises AES encryption, but then proxies the + request to a writeable DC which may not support AES encryption, + leading to failure of the handshake. Setting this parameter to + legacy would cause samba not to negotiate AES + encryption. It is assumed of course that the weaker legacy + encryption types are acceptable for the setup. + + + +all + diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 5f4610ead7e..6aa757f7c6b 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2900,6 +2900,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "smb2 leases", "yes"); + lpcfg_do_global_parameter(lp_ctx, "kerberos encryption types", "all"); + /* Allow modules to adjust defaults */ for (defaults_hook = defaults_hooks; defaults_hook; defaults_hook = defaults_hook->next) { diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h index aa256c17afd..d8f69753ad4 100644 --- a/lib/param/loadparm.h +++ b/lib/param/loadparm.h @@ -178,6 +178,10 @@ struct file_lists { #define KERBEROS_VERIFY_DEDICATED_KEYTAB 2 #define KERBEROS_VERIFY_SECRETS_AND_KEYTAB 3 +#define KERBEROS_ETYPES_ALL 0 +#define KERBEROS_ETYPES_STRONG 1 +#define KERBEROS_ETYPES_LEGACY 2 + /* ACL compatibility */ enum acl_compatibility {ACL_COMPAT_AUTO, ACL_COMPAT_WINNT, ACL_COMPAT_WIN2K}; diff --git a/lib/param/param_table.c b/lib/param/param_table.c index d8d9144b70c..c8520d29c55 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -208,6 +208,15 @@ static const struct enum_list enum_kerberos_method[] = { {-1, NULL} }; +/* Kerberos encryption types selection options */ + +static const struct enum_list enum_kerberos_encryption_types_vals[] = { + {KERBEROS_ETYPES_ALL, "all"}, + {KERBEROS_ETYPES_STRONG, "strong"}, + {KERBEROS_ETYPES_LEGACY, "legacy"}, + {-1, NULL} +}; + static const struct enum_list enum_printing[] = { {PRINT_SYSV, "sysv"}, {PRINT_AIX, "aix"},