The branch, v4-6-test has been updated
       via  d0c6802 Revert "HEIMDAL:kdc: fix memory leak when decryption 
AuthorizationData"
       via  c190c37 Revert "HEIMDAL:kdc: decrypt b->enc_authorization_data in 
tgs_build_reply()"
       via  e1a5f80 Revert "HEIMDAL:kdc: if we don't have an authenticator 
subkey for S4U2Proxy we need to use the additional tickets key"
       via  542382a Revert "s4:kdc: fix the principal names in 
samba_kdc_update_delegation_info_blob"
       via  fb65808 Revert "HEIMDAL:kdc: let _kdc_encode_reply() use the 
encryption type based on the server key"
       via  4afb9bd Revert "HEIMDAL:hdb: export a hdb_enctype_supported() 
helper function"
       via  cb60d1c Revert "s4:kdc: use the strongest possible tgs session key"
       via  0cd6906 Revert "TODO s4:kdc: msDS-SupportedEncryptionTypes only on 
computers"
       via  89f27fa Revert "TODO s4:kdc: indicate support for new encryption 
types by adding empty keys"
       via  3a54a04 Revert "HEIMDAL:kdc: use the correct authtime from 
addtitional ticket for S4U2Proxy tickets"
      from  56a40ab samba: Only use async signal-safe functions in signal 
handler

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-test


- Log -----------------------------------------------------------------
commit d0c6802bd6f5be279b95858a6a6920a1745c32a8
Author: Karolin Seeger <ksee...@samba.org>
Date:   Wed Feb 21 10:15:23 2018 +0100

    Revert "HEIMDAL:kdc: fix memory leak when decryption AuthorizationData"
    
    This reverts commit 678a7a32473b1f64421cd905b7d535878eb11cab.
    
    Autobuild-User(v4-6-test): Karolin Seeger <ksee...@samba.org>
    Autobuild-Date(v4-6-test): Wed Feb 21 15:14:49 CET 2018 on sn-devel-144

commit c190c375403ec80c2c9b34f195c1c0fb6a172595
Author: Karolin Seeger <ksee...@samba.org>
Date:   Wed Feb 21 10:15:23 2018 +0100

    Revert "HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()"
    
    This reverts commit e8988e614aaf269b24b072e483047bdcd80fef33.

commit e1a5f808c571a8c0d66c5407f8327d4648045847
Author: Karolin Seeger <ksee...@samba.org>
Date:   Wed Feb 21 10:15:23 2018 +0100

    Revert "HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy 
we need to use the additional tickets key"
    
    This reverts commit ec57c13dc378d15dad98efd59e86bcc2775c5b0a.

commit 542382aa2fba9ce43f77882963ccb13f84574a4f
Author: Karolin Seeger <ksee...@samba.org>
Date:   Wed Feb 21 10:15:22 2018 +0100

    Revert "s4:kdc: fix the principal names in 
samba_kdc_update_delegation_info_blob"
    
    This reverts commit 2557d5c6235f7d24866163124fc254cfe81d3871.

commit fb65808bb2d1daf5bbf56b59ac3d9501da101cb4
Author: Karolin Seeger <ksee...@samba.org>
Date:   Wed Feb 21 10:15:22 2018 +0100

    Revert "HEIMDAL:kdc: let _kdc_encode_reply() use the encryption type based 
on the server key"
    
    This reverts commit 03484706e4ff546fc7fe41124d896e9f7840fe80.

commit 4afb9bddeb074ecd3d8b3c704cfd91907f34c9fb
Author: Karolin Seeger <ksee...@samba.org>
Date:   Wed Feb 21 10:15:22 2018 +0100

    Revert "HEIMDAL:hdb: export a hdb_enctype_supported() helper function"
    
    This reverts commit 18d7cf191718b3a30165a43271e503cc07ca5b50.

commit cb60d1c2175c32a4b3879d2c9e39a4760d17f78a
Author: Karolin Seeger <ksee...@samba.org>
Date:   Wed Feb 21 10:15:22 2018 +0100

    Revert "s4:kdc: use the strongest possible tgs session key"
    
    This reverts commit 9fdf175905efde803941a5876ce7e060013fc9a0.

commit 0cd690617547366562fb1deed049f0c7ab129b3e
Author: Karolin Seeger <ksee...@samba.org>
Date:   Wed Feb 21 10:15:22 2018 +0100

    Revert "TODO s4:kdc: msDS-SupportedEncryptionTypes only on computers"
    
    This reverts commit fe146338f304a52f861777ada5774887fe0776e3.

commit 89f27fab18020c5b236a684359a1172981528425
Author: Karolin Seeger <ksee...@samba.org>
Date:   Wed Feb 21 10:15:22 2018 +0100

    Revert "TODO s4:kdc: indicate support for new encryption types by adding 
empty keys"
    
    This reverts commit bf07697273017014516010475f79be3e59a2ce07.

commit 3a54a0497315430501a13f6397f3e2889197158a
Author: Karolin Seeger <ksee...@samba.org>
Date:   Wed Feb 21 10:15:22 2018 +0100

    Revert "HEIMDAL:kdc: use the correct authtime from addtitional ticket for 
S4U2Proxy tickets"
    
    This reverts commit 9ecdf21e174ba7525b77035664428fbdcbf53690.

-----------------------------------------------------------------------

Summary of changes:
 source4/heimdal/kdc/kerberos5.c            |  20 ++---
 source4/heimdal/kdc/krb5tgs.c              | 127 ++++++++++++++---------------
 source4/heimdal/lib/hdb/hdb.c              |  30 +------
 source4/heimdal/lib/hdb/version-script.map |   1 -
 source4/kdc/db-glue.c                      |  73 +----------------
 source4/kdc/kdc-heimdal.c                  |   6 +-
 source4/kdc/pac-glue.c                     |   6 +-
 7 files changed, 80 insertions(+), 183 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c
index c6ec65e..3282d5e 100644
--- a/source4/heimdal/kdc/kerberos5.c
+++ b/source4/heimdal/kdc/kerberos5.c
@@ -131,7 +131,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean 
use_strongest_session_key,
     krb5_error_code ret;
     krb5_salt def_salt;
     krb5_enctype enctype = ETYPE_NULL;
-    Key *key = NULL;
+    Key *key;
     int i;
 
     /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
@@ -159,34 +159,29 @@ _kdc_find_etype(krb5_context context, krb5_boolean 
use_strongest_session_key,
 
        /* drive the search with local supported enctypes list */
        p = krb5_kerberos_enctypes(context);
-       for (i = 0; p[i] != ETYPE_NULL && key == NULL; i++) {
+       for (i = 0; p[i] != ETYPE_NULL && enctype == ETYPE_NULL; i++) {
            if (krb5_enctype_valid(context, p[i]) != 0)
                continue;
 
            /* check that the client supports it too */
-           for (j = 0; j < len && key == NULL; j++) {
+           for (j = 0; j < len && enctype == ETYPE_NULL; j++) {
                if (p[i] != etypes[j])
                    continue;
                /* save best of union of { client, crypto system } */
                if (clientbest == ETYPE_NULL)
                    clientbest = p[i];
-               if (enctype == ETYPE_NULL) {
-                   ret = hdb_enctype_supported(context, &princ->entry, p[i]);
-                   if (ret == 0) {
-                       enctype = p[i];
-                   }
-               }
                /* check target princ support */
                ret = hdb_enctype2key(context, &princ->entry, p[i], &key);
                if (ret)
                    continue;
                if (is_preauth && !is_default_salt_p(&def_salt, key))
                    continue;
+               enctype = p[i];
            }
        }
        if (clientbest != ETYPE_NULL && enctype == ETYPE_NULL)
            enctype = clientbest;
-       else if (key == NULL)
+       else if (enctype == ETYPE_NULL)
            ret = KRB5KDC_ERR_ETYPE_NOSUPP;
        if (ret == 0 && ret_enctype != NULL)
            *ret_enctype = enctype;
@@ -327,6 +322,7 @@ krb5_error_code
 _kdc_encode_reply(krb5_context context,
                  krb5_kdc_configuration *config,
                  KDC_REP *rep, const EncTicketPart *et, EncKDCRepPart *ek,
+                 krb5_enctype etype,
                  int skvno, const EncryptionKey *skey,
                  int ckvno, const EncryptionKey *reply_key,
                  int rk_is_subkey,
@@ -353,7 +349,7 @@ _kdc_encode_reply(krb5_context context,
        return KRB5KRB_ERR_GENERIC;
     }
 
-    ret = krb5_crypto_init(context, skey, 0, &crypto);
+    ret = krb5_crypto_init(context, skey, etype, &crypto);
     if (ret) {
         const char *msg;
        free(buf);
@@ -1724,7 +1720,7 @@ _kdc_as_rep(krb5_context context,
     log_as_req(context, config, reply_key->keytype, setype, b);
 
     ret = _kdc_encode_reply(context, config,
-                           &rep, &et, &ek, server->entry.kvno,
+                           &rep, &et, &ek, setype, server->entry.kvno,
                            &skey->key, client->entry.kvno,
                            reply_key, 0, &e_text, reply);
     free_EncTicketPart(&et);
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index e11ad52..a888788 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -725,7 +725,6 @@ tgs_make_reply(krb5_context context,
               KDC_REQ_BODY *b,
               krb5_const_principal tgt_name,
               const EncTicketPart *tgt,
-              const EncTicketPart *adtgt,
               const krb5_keyblock *replykey,
               int rk_is_subkey,
               const EncryptionKey *serverkey,
@@ -759,7 +758,7 @@ tgs_make_reply(krb5_context context,
     rep.pvno = 5;
     rep.msg_type = krb_tgs_rep;
 
-    et.authtime = adtgt->authtime;
+    et.authtime = tgt->authtime;
     _kdc_fix_time(&b->till);
     et.endtime = min(tgt->endtime, *b->till);
     ALLOC(et.starttime);
@@ -988,7 +987,7 @@ tgs_make_reply(krb5_context context,
        etype list, even if we don't want a session key with
        DES3? */
     ret = _kdc_encode_reply(context, config,
-                           &rep, &et, &ek,
+                           &rep, &et, &ek, et.key.keytype,
                            kvno,
                            serverkey, 0, replykey, rk_is_subkey,
                            e_text, reply);
@@ -1160,6 +1159,7 @@ tgs_parse_request(krb5_context context,
                  const struct sockaddr *from_addr,
                  time_t **csec,
                  int **cusec,
+                 AuthorizationData **auth_data,
                  krb5_keyblock **replykey,
                  int *rk_is_subkey)
 {
@@ -1170,11 +1170,14 @@ tgs_parse_request(krb5_context context,
     krb5_auth_context ac = NULL;
     krb5_flags ap_req_options;
     krb5_flags verify_ap_req_flags;
+    krb5_crypto crypto;
     Key *tkey;
     krb5_keyblock *subkey = NULL;
+    unsigned usage;
     krb5uint32 kvno = 0;
     krb5uint32 *kvno_ptr = NULL;
 
+    *auth_data = NULL;
     *csec  = NULL;
     *cusec = NULL;
     *replykey = NULL;
@@ -1325,6 +1328,7 @@ tgs_parse_request(krb5_context context,
        goto out;
     }
 
+    usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
     *rk_is_subkey = 1;
 
     ret = krb5_auth_con_getremotesubkey(context, ac, &subkey);
@@ -1336,6 +1340,7 @@ tgs_parse_request(krb5_context context,
        goto out;
     }
     if(subkey == NULL){
+       usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
        *rk_is_subkey = 0;
 
        ret = krb5_auth_con_getkey(context, ac, &subkey);
@@ -1357,6 +1362,47 @@ tgs_parse_request(krb5_context context,
 
     *replykey = subkey;
 
+    if (b->enc_authorization_data) {
+       krb5_data ad;
+
+       ret = krb5_crypto_init(context, subkey, 0, &crypto);
+       if (ret) {
+           const char *msg = krb5_get_error_message(context, ret);
+           krb5_auth_con_free(context, ac);
+           kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
+           krb5_free_error_message(context, msg);
+           goto out;
+       }
+       ret = krb5_decrypt_EncryptedData (context,
+                                         crypto,
+                                         usage,
+                                         b->enc_authorization_data,
+                                         &ad);
+       krb5_crypto_destroy(context, crypto);
+       if(ret){
+           krb5_auth_con_free(context, ac);
+           kdc_log(context, config, 0,
+                   "Failed to decrypt enc-authorization-data");
+           ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+           goto out;
+       }
+       ALLOC(*auth_data);
+       if (*auth_data == NULL) {
+           krb5_auth_con_free(context, ac);
+           ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+           goto out;
+       }
+       ret = decode_AuthorizationData(ad.data, ad.length, *auth_data, NULL);
+       if(ret){
+           krb5_auth_con_free(context, ac);
+           free(*auth_data);
+           *auth_data = NULL;
+           kdc_log(context, config, 0, "Failed to decode authorization data");
+           ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
+           goto out;
+       }
+    }
+
     krb5_auth_con_free(context, ac);
 
 out:
@@ -1454,6 +1500,7 @@ tgs_build_reply(krb5_context context,
                krb5_data *reply,
                const char *from,
                const char **e_text,
+               AuthorizationData **auth_data,
                const struct sockaddr *from_addr)
 {
     krb5_error_code ret;
@@ -1469,9 +1516,6 @@ tgs_build_reply(krb5_context context,
     krb5_keyblock sessionkey;
     krb5_kvno kvno;
     krb5_data rspac;
-    AuthorizationData *auth_data = NULL;
-    const EncryptionKey *auth_data_key = replykey;
-    unsigned auth_data_usage;
 
     hdb_entry_ex *krbtgt_out = NULL;
 
@@ -1481,7 +1525,6 @@ tgs_build_reply(krb5_context context,
     Realm r;
     int nloop = 0;
     EncTicketPart adtkt;
-    EncTicketPart *adtgt = tgt;
     char opt_str[128];
     int signedpath = 0;
 
@@ -1497,12 +1540,6 @@ tgs_build_reply(krb5_context context,
     s = b->sname;
     r = b->realm;
 
-    if (rk_is_subkey != 0) {
-       auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SUBKEY;
-    } else {
-       auth_data_usage = KRB5_KU_TGS_REQ_AUTH_DAT_SESSION;
-    }
-
     if (b->kdc_options.canonicalize)
        flags |= HDB_F_CANON;
 
@@ -1705,7 +1742,7 @@ server_lookup:
 
            ret = _kdc_find_etype(context,
                                  config->tgs_use_strongest_session_key, FALSE,
-                                 server, b->etype.val, b->etype.len, &etype,
+                                 server, b->etype.val, b->etype.len, NULL,
                                  &skey);
            if(ret) {
                kdc_log(context, config, 0,
@@ -1713,6 +1750,7 @@ server_lookup:
                goto out;
            }
            ekey = &skey->key;
+           etype = skey->key.keytype;
            kvno = server->entry.kvno;
        }
 
@@ -2145,55 +2183,10 @@ server_lookup:
            goto out;
        }
 
-       if (rk_is_subkey == 0) {
-           auth_data_key = &adtkt.key;
-       }
-       adtgt = &adtkt;
        kdc_log(context, config, 0, "constrained delegation for %s "
                "from %s (%s) to %s", tpn, cpn, dpn, spn);
     }
 
-    if (b->enc_authorization_data) {
-       krb5_data ad;
-       krb5_crypto crypto;
-
-       ret = krb5_crypto_init(context, auth_data_key, 0, &crypto);
-       if (ret) {
-           const char *msg = krb5_get_error_message(context, ret);
-           kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg);
-           krb5_free_error_message(context, msg);
-           goto out;
-       }
-
-       ret = krb5_decrypt_EncryptedData (context,
-                                         crypto,
-                                         auth_data_usage,
-                                         b->enc_authorization_data,
-                                         &ad);
-       krb5_crypto_destroy(context, crypto);
-       if(ret){
-           kdc_log(context, config, 0,
-                   "Failed to decrypt enc-authorization-data");
-           ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
-           goto out;
-       }
-       ALLOC(auth_data);
-       if (auth_data == NULL) {
-           krb5_data_free(&ad);
-           ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
-           goto out;
-       }
-       ret = decode_AuthorizationData(ad.data, ad.length, auth_data, NULL);
-       krb5_data_free(&ad);
-       if(ret){
-           free(auth_data);
-           auth_data = NULL;
-           kdc_log(context, config, 0, "Failed to decode authorization data");
-           ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; /* ? */
-           goto out;
-       }
-    }
-
     /*
      * Check flags
      */
@@ -2264,13 +2257,12 @@ server_lookup:
                         b,
                         tp,
                         tgt,
-                        adtgt,
                         replykey,
                         rk_is_subkey,
                         ekey,
                         &sessionkey,
                         kvno,
-                        auth_data,
+                        *auth_data,
                         server,
                         server->entry.principal,
                         spn,
@@ -2315,11 +2307,6 @@ out:
        free(ref_realm);
     free_METHOD_DATA(&enc_pa_data);
 
-    if (auth_data) {
-       free_AuthorizationData(auth_data);
-       free(auth_data);
-    }
-
     free_EncTicketPart(&adtkt);
 
     return ret;
@@ -2338,6 +2325,7 @@ _kdc_tgs_rep(krb5_context context,
             struct sockaddr *from_addr,
             int datagram_reply)
 {
+    AuthorizationData *auth_data = NULL;
     krb5_error_code ret;
     int i = 0;
     const PA_DATA *tgs_req;
@@ -2376,6 +2364,7 @@ _kdc_tgs_rep(krb5_context context,
                            &e_text,
                            from, from_addr,
                            &csec, &cusec,
+                           &auth_data,
                            &replykey,
                            &rk_is_subkey);
     if (ret == HDB_ERR_NOT_FOUND_HERE) {
@@ -2400,6 +2389,7 @@ _kdc_tgs_rep(krb5_context context,
                          data,
                          from,
                          &e_text,
+                         &auth_data,
                          from_addr);
     if (ret) {
        kdc_log(context, config, 0,
@@ -2436,5 +2426,10 @@ out:
     if(krbtgt)
        _kdc_free_ent(context, krbtgt);
 
+    if (auth_data) {
+       free_AuthorizationData(auth_data);
+       free(auth_data);
+    }
+
     return ret;
 }
diff --git a/source4/heimdal/lib/hdb/hdb.c b/source4/heimdal/lib/hdb/hdb.c
index 4c8df93..5dc5a09 100644
--- a/source4/heimdal/lib/hdb/hdb.c
+++ b/source4/heimdal/lib/hdb/hdb.c
@@ -93,12 +93,11 @@ static struct hdb_method dbmetod =
 #endif
 
 
-static krb5_error_code
-_hdb_next_enctype2key(krb5_context context,
+krb5_error_code
+hdb_next_enctype2key(krb5_context context,
                     const hdb_entry *e,
                     krb5_enctype enctype,
-                    Key **key,
-                    bool require_key)
+                    Key **key)
 {
     Key *k;
 
@@ -106,10 +105,6 @@ _hdb_next_enctype2key(krb5_context context,
         k < e->keys.val + e->keys.len;
         k++)
     {
-       if (require_key && k->key.keyvalue.length == 0) {
-           continue;
-       }
-
        if(k->key.keytype == enctype){
            *key = k;
            return 0;
@@ -121,16 +116,6 @@ _hdb_next_enctype2key(krb5_context context,
     return KRB5_PROG_ETYPE_NOSUPP; /* XXX */
 }
 
-
-krb5_error_code
-hdb_next_enctype2key(krb5_context context,
-                    const hdb_entry *e,
-                    krb5_enctype enctype,
-                    Key **key)
-{
-       return _hdb_next_enctype2key(context, e, enctype, key, true);
-}
-
 krb5_error_code
 hdb_enctype2key(krb5_context context,
                hdb_entry *e,
@@ -141,15 +126,6 @@ hdb_enctype2key(krb5_context context,
     return hdb_next_enctype2key(context, e, enctype, key);
 }
 
-krb5_error_code
-hdb_enctype_supported(krb5_context context,
-               hdb_entry *e,
-               krb5_enctype enctype)
-{
-    Key *key = NULL;
-    return _hdb_next_enctype2key(context, e, enctype, &key, false);
-}
-
 void
 hdb_free_key(Key *key)
 {
diff --git a/source4/heimdal/lib/hdb/version-script.map 
b/source4/heimdal/lib/hdb/version-script.map
index c4bd8f4..f80fb78 100644
--- a/source4/heimdal/lib/hdb/version-script.map
+++ b/source4/heimdal/lib/hdb/version-script.map
@@ -20,7 +20,6 @@ HEIMDAL_HDB_1.0 {
                hdb_dbinfo_get_realm;
                hdb_default_db;
                hdb_enctype2key;
-               hdb_enctype_supported;
                hdb_entry2string;
                hdb_entry2value;
                hdb_entry_alias2value;
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index bfd940c..bf55bef 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -267,7 +267,6 @@ static krb5_error_code 
samba_kdc_message2entry_keys(krb5_context context,
                                                    bool is_rodc,
                                                    uint32_t userAccountControl,
                                                    enum samba_kdc_ent_type 
ent_type,
-                                                   unsigned flags,
                                                    struct sdb_entry_ex 
*entry_ex)
 {
        krb5_error_code ret = 0;
@@ -288,38 +287,6 @@ static krb5_error_code 
samba_kdc_message2entry_keys(krb5_context context,
                = ldb_msg_find_attr_as_uint(msg,
                                            "msDS-SupportedEncryptionTypes",
                                            0);
-       uint32_t new_session_enctypes = 0;
-       const krb5_enctype newer_enctypes[] = {
-               ENCTYPE_AES256_CTS_HMAC_SHA1_96,
-               ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-       };
-
-       switch (ent_type) {
-       case SAMBA_KDC_ENT_TYPE_CLIENT:
-       case SAMBA_KDC_ENT_TYPE_ANY:
-               break;
-       case SAMBA_KDC_ENT_TYPE_SERVER:
-       case SAMBA_KDC_ENT_TYPE_KRBTGT:
-       case SAMBA_KDC_ENT_TYPE_TRUST:
-               if (flags & (SDB_F_FOR_AS_REQ|SDB_F_FOR_TGS_REQ)) {
-                       /*
-                        * We should indicate support for new encryption
-                        * types (for session keys) via empty keyvalues,
-                        * in case we don't have stored keys for such encryption
-                        * types.
-                        */
-                       new_session_enctypes = supported_enctypes;
-               }
-               break;
-       }
-
-       if (userAccountControl & UF_NORMAL_ACCOUNT) {
-               supported_enctypes = 0;
-       }
-       if (supported_enctypes == 0) {
-               /* Otherwise, add in the default enc types */
-               supported_enctypes |= ENC_CRC32 | ENC_RSA_MD5 | 
ENC_RC4_HMAC_MD5;
-       }
 
        if (rid == DOMAIN_RID_KRBTGT || is_rodc) {
                /* KDCs (and KDCs on RODCs) use AES */
@@ -341,7 +308,7 @@ static krb5_error_code 
samba_kdc_message2entry_keys(krb5_context context,
        /* If UF_USE_DES_KEY_ONLY has been set, then don't allow use of the 
newer enc types */
        if (userAccountControl & UF_USE_DES_KEY_ONLY) {
                supported_enctypes = ENC_CRC32|ENC_RSA_MD5;


-- 
Samba Shared Repository

Reply via email to