From cc3ef52884a48863a81acbfc741735fe09cd85f7 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Thu, 13 Jun 2019 18:27:49 +0200 Subject: [PATCH 4/4] adenroll: use only enctypes permitted by Kerberos config Realted to https://gitlab.freedesktop.org/realmd/adcli/issues/3 --- doc/adcli.xml | 10 ++++++++++ library/adenroll.c | 22 +++++++++++++++++++--- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/doc/adcli.xml b/doc/adcli.xml index 9605b4a..094f577 100644 --- a/doc/adcli.xml +++ b/doc/adcli.xml @@ -342,6 +342,11 @@ Password for Administrator: + If supported on the AD side the + attribute will be set as + well. Either the current value or the default list of AD's supported + encryption types filtered by the permitted encryption types of the + client's Kerberos configuration are written. @@ -475,6 +480,11 @@ $ adcli update --login-ccache=/tmp/krbcc_123 + If supported on the AD side the + attribute will be set as + well. Either the current value or the default list of AD's supported + encryption types filtered by the permitted encryption types of the + client's Kerberos configuration are written. diff --git a/library/adenroll.c b/library/adenroll.c index 95c07cd..53cd812 100644 --- a/library/adenroll.c +++ b/library/adenroll.c @@ -639,6 +639,7 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype) { char *value = NULL; krb5_enctype *read_enctypes; + krb5_enctype *new_enctypes; char *new_value = NULL; int is_2008_or_later; LDAP *ldap; @@ -685,7 +686,14 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype) value = _adcli_krb5_format_enctypes (v51_earlier_enctypes); } - new_value = _adcli_krb5_format_enctypes (adcli_enroll_get_keytab_enctypes (enroll)); + new_enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll); + if (new_enctypes == NULL) { + _adcli_warn ("No permitted encryption type found."); + return ADCLI_ERR_UNEXPECTED; + } + + new_value = _adcli_krb5_format_enctypes (new_enctypes); + krb5_free_enctypes (adcli_conn_get_krb5_context (enroll->conn), new_enctypes); if (new_value == NULL) { free (value); _adcli_warn ("The encryption types desired are not available in active directory"); @@ -1758,7 +1766,11 @@ add_principal_to_keytab (adcli_enroll *enroll, enroll->keytab_name); } - enctypes = adcli_enroll_get_keytab_enctypes (enroll); + enctypes = adcli_enroll_get_permitted_keytab_enctypes (enroll); + if (enctypes == NULL) { + _adcli_warn ("No permitted encryption type found."); + return ADCLI_ERR_UNEXPECTED; + } if (flags & ADCLI_ENROLL_PASSWORD_VALID) { code = _adcli_krb5_keytab_copy_entries (k5, enroll->keytab, principal, @@ -1774,7 +1786,10 @@ add_principal_to_keytab (adcli_enroll *enroll, */ salts = build_principal_salts (enroll, k5, principal); - return_unexpected_if_fail (salts != NULL); + if (salts == NULL) { + krb5_free_enctypes (k5, enctypes); + return ADCLI_ERR_UNEXPECTED; + } if (*which_salt < 0) { code = _adcli_krb5_keytab_discover_salt (k5, principal, enroll->kvno, &password, @@ -1794,6 +1809,7 @@ add_principal_to_keytab (adcli_enroll *enroll, free_principal_salts (k5, salts); } + krb5_free_enctypes (k5, enctypes); if (code != 0) { _adcli_err ("Couldn't add keytab entries: %s: %s", -- 2.21.0