freeipa/daemons
Alexander Bokovoy b5fbbd1957 Keytab retrieval: allow requesting arcfour-hmac for SMB services
With system-wide crypto policy in use, arcfour-hmac encryption type
might be removed from the list of permitted encryption types in the MIT
Kerberos library. Applications aren't prevented to use the arcfour-hmac
enctype if they operate on it directly.

Since FreeIPA supported and default encryption types stored in LDAP, on
the server side we don't directly use a set of permitted encryption
types provided by the MIT Kerberos library. However, this set will be
trimmed to disallow arcfour-hmac and other weaker types by default.

While the arcfour-hmac key can be generated and retrieved, MIT Kerberos
library will still not allow its use in Kerberos protocol if it is not
on the list of permitted encryption types. We only need this workaround
to allow setting up arcfour-hmac key for SMB services where arcfour-hmac
key is used to validate communication between a domain member and its
domain controller. Without this fix it will not be possible to request
setting up a machine account credential from the domain member side. The
latter is needed for Samba running on IPA client.

Thus, extend filtering facilities in ipa-pwd-extop plugin to explicitly
allow arcfour-hmac encryption type for SMB services (Kerberos principal
name starts with cifs/).

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
..
dnssec Fix inconsistent-return-statements in ipa-dnskeysync-replica 2019-04-24 08:10:45 +02:00
ipa-kdb ipa-kdb: reduce LDAP operations timeout to 30 seconds 2018-11-16 16:54:38 -05:00
ipa-otpd Py3: Replace six.moves imports 2018-10-05 12:06:19 +02:00
ipa-sam ipasam: use SID formatting calls to libsss_idmap 2019-04-01 12:08:12 +02:00
ipa-slapi-plugins Keytab retrieval: allow requesting arcfour-hmac for SMB services 2019-05-28 09:55:51 +03:00
ipa-version.h.in Build: move version handling from Makefile to configure 2016-11-09 13:08:32 +01:00
Makefile.am Build: properly integrate ipa-version.h.in into build system 2016-11-29 15:28:24 +01:00