CA-408843: XSI-1852: Set encryption type of machine account

According to https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/decrypting-the-selection-of-supported-kerberos-encryption-types/1628797
msDS-SupportedEncryptionTypes of machine account help to decide
Service Ticket encryption type

Some customer IT teams have strict encryption types limitation in
their domains

This commit add winbind_set_machine_account_kerberos_encryption_type
and default to false. When enabled, xapi set the machine account
encryption types consistent with the samba client

Signed-off-by: Lin Liu <[email protected]>

Author: liulinC

ocaml/xapi-aux/kerberos_encryption_types.ml

@@ -20,6 +20,24 @@
 module Winbind = struct
   type t = Strong | Legacy | All
 
+  (*
+     * [X] 0x00000001 DES-CBC-CRC
+     * [X] 0x00000002 DES-CBC-MD5
+     * [X] 0x00000004 RC4-HMAC
+     * [X] 0x00000008 AES128-CTS-HMAC-SHA1-96
+     * [X] 0x00000010 AES256-CTS-HMAC-SHA1-96
+     * *)
+
+  let des_cbc_crc = 0x1
+
+  let des_cbc_md5 = 0x2
+
+  let rc4_hmac = 0x4
+
+  let aes128_cts_hmac_sha1_96 = 0x8
+
+  let aes256_cts_hmac_sha1_96 = 0x10
+
   let to_string = function
     | Strong ->
         "strong"
@@ -28,6 +46,26 @@ module Winbind = struct
     | All ->
         "all"
 
+  let add x y = x lor y
+
+  let to_encoding = function
+    (*
+     * 0x00000001 DES-CBC-CRC
+     * 0x00000002 DES-CBC-MD5
+     * 0x00000004 RC4-HMAC
+     * 0x00000008 AES128-CTS-HMAC-SHA1-96
+     * 0x00000010 AES256-CTS-HMAC-SHA1-96
+     * *)
+    | Strong ->
+        add aes128_cts_hmac_sha1_96 aes256_cts_hmac_sha1_96
+    | Legacy ->
+        rc4_hmac
+    | All ->
+        add des_cbc_crc des_cbc_md5
+        |> add rc4_hmac
+        |> add aes128_cts_hmac_sha1_96
+        |> add aes256_cts_hmac_sha1_96
+
   let of_string = function
     | "all" ->
         Some All

ocaml/xapi-aux/kerberos_encryption_types.mli

@@ -17,5 +17,7 @@ module Winbind : sig
 
   val to_string : t -> string
 
+  val to_encoding : t -> int
+
   val of_string : string -> t option
 end

ocaml/xapi/extauth_plugin_ADwinbind.ml

@@ -1085,6 +1085,35 @@ module Winbind = struct
       netbios_name
     ) else
       hostname
+
+  let set_machine_account_encryption_type netbios_name =
+    match !Xapi_globs.winbind_set_machine_account_kerberos_encryption_type with
+    | true -> (
+        let args =
+          [
+            "ads"
+          ; "enctypes"
+          ; "set"
+          ; "--machine-pass"
+          ; "-d"
+          ; debug_level ()
+          ; Printf.sprintf "%s$" netbios_name
+          ; Printf.sprintf "%d"
+              (Kerberos_encryption_types.Winbind.to_encoding
+                 !Xapi_globs.winbind_kerberos_encryption_type
+              )
+          ]
+        in
+        try
+          Helpers.call_script
+            ~timeout:Mtime.Span.(5 * s)
+            !Xapi_globs.net_cmd args
+          |> ignore
+        with _ ->
+          warn "Failed to set machine account encryption type, ignoring"
+      )
+    | false ->
+        debug "Skip setting machine account encryption type to DC"
 end
 
 module ClosestKdc = struct
@@ -1688,10 +1717,11 @@ module AuthADWinbind : Auth_signature.AUTH_MODULE = struct
         ~ou_conf ~workgroup:(Some workgroup)
         ~machine_pwd_last_change_time:(Some machine_pwd_last_change_time)
         ~netbios_name:(Some netbios_name) ;
+      (* Trigger right now *)
       ClosestKdc.trigger_update ~start:0. ;
       RotateMachinePassword.trigger_rotate ~start:0. ;
       ConfigHosts.join ~domain:service_name ~name:netbios_name ;
-      (* Trigger right now *)
+      Winbind.set_machine_account_encryption_type netbios_name ;
       debug "Succeed to join domain %s" service_name
     with
     | Forkhelpers.Spawn_internal_error (_, stdout, _) ->

ocaml/xapi/xapi_globs.ml

@@ -1004,6 +1004,8 @@ let winbind_update_closest_kdc_interval = ref (3600. *. 22.)
 
 let winbind_kerberos_encryption_type = ref Kerberos_encryption_types.Winbind.All
 
+let winbind_set_machine_account_kerberos_encryption_type = ref false
+
 let winbind_allow_kerberos_auth_fallback = ref false
 
 let winbind_keep_configuration = ref false
@@ -1546,6 +1548,14 @@ let other_options =
     , "Encryption types to use when operating as Kerberos client \
        [strong|legacy|all]"
     )
+  ; ( "winbind_set_machine_account_kerberos_encryption_type"
+    , Arg.Set winbind_set_machine_account_kerberos_encryption_type
+    , (fun () ->
+        string_of_bool !winbind_set_machine_account_kerberos_encryption_type
+      )
+    , "Whether set machine account encryption type \
+       (msDS-SupportedEncryptionTypes) on domain controller"
+    )
   ; ( "winbind_allow_kerberos_auth_fallback"
     , Arg.Set winbind_allow_kerberos_auth_fallback
     , (fun () -> string_of_bool !winbind_allow_kerberos_auth_fallback)