kdc: warn if DES-only keys enforced on the account

With MIT Kerberos 1.21+ DES is not available by default and will be
refused. This means userAccountFlags with UF_DES_KEYS_ONLY will result
in a likely authentication falure (unless allow_des=true is set in
krb5.conf).

Warn about such cases to give admins yet another chance to detect an
error in setting userAccountFlags.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Sat Aug 17 11:59:01 UTC 2024 on atb-devel-224

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 57007aef760eb2afcb7619624fe489c946c7856b..dd1c95cb925022fce89dc4d9d200cc520fc06c42 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1741,6 +1741,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
        /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
        if (userAccountControl & UF_USE_DES_KEY_ONLY) {
                supported_enctypes &= ~ENC_ALL_TYPES;
+               DBG_NOTICE("DES-only keys allowed on the account '%s', "
+                          "most likely auth will fail through Kerberos\n",
+                          samAccountName);
        }
 
        if (protected_user) {