Skip to content

adcli should respect Kerberos enctypes

Submitted by Philipp

Assigned to Stef Walter

Link to original bug (#105782)

Description

Reference: https://lists.freedesktop.org/archives/authentication/2018-March/000360.html

In short, there appears to be no way to control the keytab created by adcli join / adcli update. It will always write all five keys per principals as though msDS-supportedEncryptionTypes were set to 31.

MS-ADA2 specifies: “This attribute specifies the encryption algorithms supported by user, computer, or trust accounts. The Key Distribution Center (KDC) uses this information while generating a service ticket for this account. Services and computers can automatically update this attribute on their respective accounts in Active Directory, and therefore need write access to this attribute.“ (p. 184, sect. 2.464)

I. e. this attribute is the means by which the client tells the KDC which enctypes it wants to support.

Thus, a join with adcli should set the value corresponding to what the client wishes to support, preferably the “permitted_enctypes” value of /etc/krb5.conf. Being able to override this by specifying a list of enctypes in a command line parameter would be handy as well.

Also, the keytab created on the client should contain only the keys for the enctypes specified in AD through msDS-supportedEncryptionTypes. If the value changes in LDAP (e. g. by editing the computer account), the next adcli update should create a keytab containing the keys for the new set of enctypes.