From b018dd4ae5c176d61115b6ec7bf3e2bd19c559a4 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 18 Nov 2019 17:30:18 +0100
Subject: [PATCH 205/208] param: Do not use weak crypto for kerberos if
 disallowed

Signed-off-by: Andreas Schneider <asn@samba.org>
---
 .../smbdotconf/security/kerberosencryptiontypes.xml    |  5 +++++
 lib/param/loadparm.c                                   | 10 ++++++++++
 source3/include/proto.h                                |  1 +
 source3/param/loadparm.c                               |  9 +++++++++
 4 files changed, 25 insertions(+)

diff --git a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
index 2c3c6c5d5fc..5b0c1a40fcc 100644
--- a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
+++ b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
@@ -2,6 +2,7 @@
                  context="G"
                  type="enum"
 		 enumlist="enum_kerberos_encryption_types_vals"
+                 function="_kerberos_encryption_types"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
     <para>This parameter determines the encryption types to use when operating
@@ -47,6 +48,10 @@
     encryption. It is assumed of course that the weaker legacy
     encryption types are acceptable for the setup.
     </para>
+
+    <para>If weak cryptography is not allowed by the system, then this
+    variable will be forced to <constant>strong</constant>. In this case
+    it is not possible to override this value.</para>
 </description>
 
 <value type="default">all</value>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 83dc111c05c..41a4c110195 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -96,6 +96,16 @@ int lpcfg_rpc_high_port(struct loadparm_context *lp_ctx)
 	return lp_ctx->globals->rpc_high_port;
 }
 
+int lpcfg_kerberos_encryption_types(struct loadparm_context *lp_ctx)
+{
+	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		return KERBEROS_ETYPES_STRONG;
+	}
+
+	return lpcfg__kerberos_encryption_types(lp_ctx);
+}
+
+
 enum samba_weak_crypto lpcfg_weak_crypto(struct loadparm_context *lp_ctx)
 {
 	if (lp_ctx->globals->weak_crypto == SAMBA_WEAK_CRYPTO_UNKNOWN) {
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 956a328b626..aaa101fc63c 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -755,6 +755,7 @@ bool lp_widelinks(int );
 int lp_rpc_low_port(void);
 int lp_rpc_high_port(void);
 bool lp_lanman_auth(void);
+int lp_kerberos_encryption_types(void);
 enum samba_weak_crypto lp_weak_crypto(void);
 
 int lp_wi_scan_global_parametrics(
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index c1d02cf5bc6..e68140ae5f0 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -4679,6 +4679,15 @@ bool lp_lanman_auth(void)
 	}
 }
 
+int lp_kerberos_encryption_types(void)
+{
+	if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		return KERBEROS_ETYPES_STRONG;
+	}
+
+	return lp__kerberos_encryption_types();
+}
+
 struct loadparm_global * get_globals(void)
 {
 	return &Globals;
-- 
2.23.0