mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
b5fbbd1957
With system-wide crypto policy in use, arcfour-hmac encryption type might be removed from the list of permitted encryption types in the MIT Kerberos library. Applications aren't prevented to use the arcfour-hmac enctype if they operate on it directly. Since FreeIPA supported and default encryption types stored in LDAP, on the server side we don't directly use a set of permitted encryption types provided by the MIT Kerberos library. However, this set will be trimmed to disallow arcfour-hmac and other weaker types by default. While the arcfour-hmac key can be generated and retrieved, MIT Kerberos library will still not allow its use in Kerberos protocol if it is not on the list of permitted encryption types. We only need this workaround to allow setting up arcfour-hmac key for SMB services where arcfour-hmac key is used to validate communication between a domain member and its domain controller. Without this fix it will not be possible to request setting up a machine account credential from the domain member side. The latter is needed for Samba running on IPA client. Thus, extend filtering facilities in ipa-pwd-extop plugin to explicitly allow arcfour-hmac encryption type for SMB services (Kerberos principal name starts with cifs/). Reviewed-By: Christian Heimes <cheimes@redhat.com>
The update files are sorted before being processed because there are cases where order matters (such as getting schema added first, creating parent entries, etc). Updates are applied in blocks of ten so that any entries that are dependant on another can be added successfully without having to rely on the length of the DN to get the sorting correct. The file names should use the format #-<description>.update where # conforms to this: 10 - 19: Configuration 20 - 29: 389-ds configuration, new indices 30 - 39: Structual elements of the DIT 40 - 49: Pre-loaded data 50 - 59: Cleanup existing data 60 - 69: AD Trust 70 - 79: Reserved 80 - 89: Reserved These numbers aren't absolute, there may be reasons to put an update into one place or another, but by adhereing to the scheme it will be easier to find existing updates and know where to put new ones.