From: Alexander Bokovoy <ab@samba.org>
Date: Fri, 16 Aug 2024 08:24:12 +0000 (+0300)
Subject: kdc: warn if DES-only keys enforced on the account
X-Git-Tag: tdb-1.4.13~1383
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3d98048a5a94557d11f57a2057134dc90622aa37;p=thirdparty%2Fsamba.git

kdc: warn if DES-only keys enforced on the account

With MIT Kerberos 1.21+ DES is not available by default and will be
refused. This means userAccountFlags with UF_DES_KEYS_ONLY will result
in a likely authentication falure (unless allow_des=true is set in
krb5.conf).

Warn about such cases to give admins yet another chance to detect an
error in setting userAccountFlags.

Signed-off-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
Autobuild-Date(master): Sat Aug 17 11:59:01 UTC 2024 on atb-devel-224
---

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 57007aef760..dd1c95cb925 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1741,6 +1741,9 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 	/* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the newer enc types */
 	if (userAccountControl & UF_USE_DES_KEY_ONLY) {
 		supported_enctypes &= ~ENC_ALL_TYPES;
+		DBG_NOTICE("DES-only keys allowed on the account '%s', "
+			   "most likely auth will fail through Kerberos\n",
+			   samAccountName);
 	}
 
 	if (protected_user) {