mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
d631e008cc
When DCERPC clients use Kerberos authentication, they use a service ticket to host/domain.controller because in Active Directory any service on the host is an alias to the machine account object. In FreeIPA each Kerberos service has own keys so host/.. and cifs/.. do not share the same keys. It means Samba suite needs to have access to host/.. keytab entries to validate incoming DCERPC requests. Unfortunately, MIT Kerberos has no means to operate on multiple keytabs at the same time and Samba doesn't implement this either. We cannot use GSS-Proxy as well because Samba daemons are running under root. As a workaround, copy missing aes256 and aes128 keys from the host keytab. SMB protocol doesn't use other encryption types and we don't have rc4-hmac for the host either. Fixes: https://pagure.io/freeipa/issue/3999 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| adtrust.py | ||
| ca_renewal_master.py | ||
| dns.py | ||
| fix_replica_agreements.py | ||
| rename_managed.py | ||
| update_ca_topology.py | ||
| update_dna_shared_config.py | ||
| update_fix_duplicate_cacrt_in_ldap.py | ||
| update_idranges.py | ||
| update_ldap_server_list.py | ||
| update_managed_permissions.py | ||
| update_nis.py | ||
| update_pacs.py | ||
| update_passsync.py | ||
| update_ra_cert_store.py | ||
| update_referint.py | ||
| update_services.py | ||
| update_unhashed_password.py | ||
| update_uniqueness.py | ||
| upload_cacrt.py | ||