The Samba-Bugzilla – Attachment 10851 Details for
Bug 11142
KDC does not support enterprise UPNs properly
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
additional patches pending commit in master
krb5-upn-additiona.patch (text/plain), 11.69 KB, created by
Andrew Bartlett
on 2015-03-11 03:47:05 UTC
(
hide
)
Description:
additional patches pending commit in master
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2015-03-11 03:47:05 UTC
Size:
11.69 KB
patch
obsolete
>From 5dcc55487e027946e2ffc66c9456ed3068f448a0 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 11 Mar 2015 15:57:06 +1300 >Subject: [PATCH 1/4] auth/kerberos: Do a string comparison in > kerberos_decode_pac() not a principal comparison > >This ensures that if an enterprise principal is used, we do the >comparison properly > >This matters as in the enterprise case, which can be triggered by MIT >kinit -E, does not use canonicalization, and so the enterprise name, >with the @ in it, is in the logon name. > >Otherwise, we get errors like: > Name in PAC [TESTALLOWED@WIN2012R2] does not match principal name in ticket > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > auth/kerberos/kerberos_pac.c | 25 +++++++++++++------------ > 1 file changed, 13 insertions(+), 12 deletions(-) > >diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c >index 8f55c8f..ee63ce9 100644 >--- a/auth/kerberos/kerberos_pac.c >+++ b/auth/kerberos/kerberos_pac.c >@@ -106,7 +106,6 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, > DATA_BLOB modified_pac_blob; > > NTTIME tgs_authtime_nttime; >- krb5_principal client_principal_pac = NULL; > int i; > > struct PAC_SIGNATURE_DATA *srv_sig_ptr = NULL; >@@ -357,28 +356,30 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, > } > > if (client_principal) { >- ret = smb_krb5_parse_name_norealm(context, >- logon_name->account_name, >- &client_principal_pac); >+ char *client_principal_string; >+ ret = krb5_unparse_name_flags(context, client_principal, >+ KRB5_PRINCIPAL_UNPARSE_NO_REALM|KRB5_PRINCIPAL_UNPARSE_DISPLAY, >+ &client_principal_string); > if (ret) { >- DEBUG(2, ("Could not parse name from PAC: [%s]:%s\n", >+ DEBUG(2, ("Could not unparse name from ticket to match with name from PAC: [%s]:%s\n", > logon_name->account_name, error_message(ret))); > talloc_free(tmp_ctx); > return NT_STATUS_INVALID_PARAMETER; > } >- >- bool_ret = smb_krb5_principal_compare_any_realm(context, >- client_principal, >- client_principal_pac); >- >- krb5_free_principal(context, client_principal_pac); >+ >+ bool_ret = strcmp(client_principal_string, logon_name->account_name) == 0; > > if (!bool_ret) { > DEBUG(2, ("Name in PAC [%s] does not match principal name " >- "in ticket\n", logon_name->account_name)); >+ "in ticket [%s]\n", >+ logon_name->account_name, >+ client_principal_string)); >+ SAFE_FREE(client_principal_string); > talloc_free(tmp_ctx); > return NT_STATUS_ACCESS_DENIED; > } >+ SAFE_FREE(client_principal_string); >+ > } > > DEBUG(3,("Found account name from PAC: %s [%s]\n", >-- >2.1.4 > > >From 2da00d569364dcbcf487ac57d079acc5b7c6223e Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 11 Mar 2015 15:58:36 +1300 >Subject: [PATCH 2/4] torture-krb5: Test accepting the ticket to ensure PAC is > well-formed > >A future test will ask for impersonation to a different user, and >validate returned principal and the PAC matches that user. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/torture/krb5/kdc-canon.c | 137 ++++++++++++++++++++++++++++++++++++++- > 1 file changed, 136 insertions(+), 1 deletion(-) > >diff --git a/source4/torture/krb5/kdc-canon.c b/source4/torture/krb5/kdc-canon.c >index 49c6c26..446dab2 100644 >--- a/source4/torture/krb5/kdc-canon.c >+++ b/source4/torture/krb5/kdc-canon.c >@@ -29,6 +29,10 @@ > #include "source4/auth/kerberos/kerberos.h" > #include "source4/auth/kerberos/kerberos_util.h" > #include "lib/util/util_net.h" >+#include "auth/auth.h" >+#include "auth/auth_sam_reply.h" >+#include "auth/gensec/gensec.h" >+#include "param/param.h" > > #define TEST_CANONICALIZE 0x0000001 > #define TEST_ENTERPRISE 0x0000002 >@@ -87,6 +91,123 @@ struct torture_krb5_context { > TGS_REP tgs_rep; > }; > >+struct pac_data { >+ const char *principal_name; >+}; >+ >+/* >+ * A helper function which avoids touching the local databases to >+ * generate the session info, as we just want to verify the principal >+ * name that we found in the ticket not the full local token >+ */ >+static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx, >+ TALLOC_CTX *mem_ctx, >+ struct smb_krb5_context *smb_krb5_context, >+ DATA_BLOB *pac_blob, >+ const char *principal_name, >+ const struct tsocket_address *remote_address, >+ uint32_t session_info_flags, >+ struct auth_session_info **session_info) >+{ >+ NTSTATUS nt_status; >+ struct auth_user_info_dc *user_info_dc; >+ TALLOC_CTX *tmp_ctx; >+ struct pac_data *pac_data; >+ >+ tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context"); >+ NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); >+ >+ auth_ctx->private_data = pac_data = talloc_zero(auth_ctx, struct pac_data); >+ >+ pac_data->principal_name = talloc_strdup(pac_data, principal_name); >+ if (!pac_data->principal_name) { >+ talloc_free(tmp_ctx); >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ nt_status = kerberos_pac_blob_to_user_info_dc(tmp_ctx, >+ *pac_blob, >+ smb_krb5_context->krb5_context, >+ &user_info_dc, NULL, NULL); >+ if (!NT_STATUS_IS_OK(nt_status)) { >+ talloc_free(tmp_ctx); >+ return nt_status; >+ } >+ >+ if (user_info_dc->info->authenticated) { >+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; >+ } >+ >+ session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; >+ nt_status = auth_generate_session_info(mem_ctx, >+ NULL, >+ NULL, >+ user_info_dc, session_info_flags, >+ session_info); >+ if (!NT_STATUS_IS_OK(nt_status)) { >+ talloc_free(tmp_ctx); >+ return nt_status; >+ } >+ >+ talloc_free(tmp_ctx); >+ return nt_status; >+} >+ >+/* Check to see if we can pass the PAC across to the NETLOGON server for validation */ >+ >+/* Also happens to be a really good one-step verfication of our Kerberos stack */ >+ >+static bool test_accept_ticket(struct torture_context *tctx, >+ struct cli_credentials *credentials, >+ const char *principal, >+ DATA_BLOB client_to_server) >+{ >+ NTSTATUS status; >+ >+ struct gensec_security *gensec_server_context; >+ >+ DATA_BLOB server_to_client; >+ >+ struct auth4_context *auth_context; >+ struct auth_session_info *session_info; >+ struct pac_data *pac_data; >+ TALLOC_CTX *tmp_ctx = talloc_new(tctx); >+ torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed"); >+ >+ auth_context = talloc_zero(tmp_ctx, struct auth4_context); >+ torture_assert(tctx, auth_context != NULL, "talloc_new() failed"); >+ >+ auth_context->generate_session_info_pac = test_generate_session_info_pac; >+ >+ status = gensec_server_start(tctx, >+ lpcfg_gensec_settings(tctx, tctx->lp_ctx), >+ auth_context, &gensec_server_context); >+ torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed"); >+ >+ status = gensec_set_credentials(gensec_server_context, credentials); >+ torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (server) failed"); >+ >+ status = gensec_start_mech_by_name(gensec_server_context, "krb5"); >+ torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_name (server) failed"); >+ >+ server_to_client = data_blob(NULL, 0); >+ >+ /* Do a client-server update dance */ >+ status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client); >+ torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed"); >+ >+ /* Extract the PAC using Samba's code */ >+ >+ status = gensec_session_info(gensec_server_context, gensec_server_context, &session_info); >+ torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed"); >+ >+ pac_data = talloc_get_type(auth_context->private_data, struct pac_data); >+ >+ torture_assert(tctx, pac_data != NULL, "gensec_update failed to fill in pac_data in auth_context"); >+ torture_assert(tctx, pac_data->principal_name != NULL, "principal_name not present"); >+ torture_assert_str_equal(tctx, pac_data->principal_name, principal, "wrong principal name"); >+ return true; >+} > > /* > * TEST_AS_REQ and TEST_AS_REQ_SELF - SEND >@@ -1298,6 +1419,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * > char *krbtgt_other_string; > int principal_flags; > char *expected_principal_string; >+ char *expected_unparse_principal_string; > int expected_principal_flags; > char *got_principal_string; > char *assertion_message; >@@ -1436,6 +1558,11 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * > &expected_principal), > 0, "krb5_parse_name_flags failed"); > >+ torture_assert_int_equal(tctx, >+ krb5_unparse_name(k5_context, >+ expected_principal, >+ &expected_unparse_principal_string), >+ 0, "krb5_unparse_name failed"); > /* > * Prepare a AS-REQ and run the TEST_AS_REQ tests > * >@@ -1752,7 +1879,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * > in_data.length = 0; > k5ret = krb5_mk_req_exact(k5_context, > &auth_context, >- 0, >+ AP_OPTS_USE_SUBKEY, > principal, > &in_data, ccache, > &enc_ticket); >@@ -1766,7 +1893,15 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * > * servicePrincipalName) can expect this test to succeed > */ > if (torture_setting_bool(tctx, "expect_machine_account", false) && (test_data->enterprise || test_data->upn == false)) { >+ DATA_BLOB client_to_server; > torture_assert_int_equal(tctx, k5ret, 0, assertion_message); >+ client_to_server = data_blob_const(enc_ticket.data, enc_ticket.length); >+ torture_assert(tctx, >+ test_accept_ticket(tctx, cmdline_credentials, >+ expected_unparse_principal_string, >+ client_to_server), >+ "test_accept_ticket failed - failed to accept the ticket we just created"); >+ krb5_data_free(&enc_ticket); > } else { > torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, > assertion_message); >-- >2.1.4 > > >From 29de0b6a20a496baee6c2a7c5d2392ee522b6351 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 10 Mar 2015 15:36:01 +0100 >Subject: [PATCH 3/4] heimdal:lib/krb5: allow enterprise principals in > verify_logonname() > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/heimdal/lib/krb5/pac.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > >diff --git a/source4/heimdal/lib/krb5/pac.c b/source4/heimdal/lib/krb5/pac.c >index 91f68d5..835ea47 100644 >--- a/source4/heimdal/lib/krb5/pac.c >+++ b/source4/heimdal/lib/krb5/pac.c >@@ -677,7 +677,9 @@ verify_logonname(krb5_context context, > return ret; > } > } >- ret = krb5_parse_name_flags(context, s, KRB5_PRINCIPAL_PARSE_NO_REALM, &p2); >+ ret = krb5_parse_name_flags(context, s, >+ KRB5_PRINCIPAL_PARSE_NO_REALM| >+ KRB5_PRINCIPAL_PARSE_ENTERPRISE, &p2); > free(s); > if (ret) > return ret; >-- >2.1.4 > > >From a406cb636ec394b4bb98deafd60b182fd7dc0c6d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 10 Mar 2015 15:33:14 +0100 >Subject: [PATCH 4/4] heimdal:lib/krb5: let build_logon_name() use > KRB5_PRINCIPAL_UNPARSE_DISPLAY > >An ENTERPRISE principal should result in 'administrator@S4XDOM.BASE' >instead of 'administrator\@S4XDOM.BASE'. > >Signed-off-by: Stefan Metzmacher <metze@samba.org> > >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/heimdal/lib/krb5/pac.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > >diff --git a/source4/heimdal/lib/krb5/pac.c b/source4/heimdal/lib/krb5/pac.c >index 835ea47..e8672aa 100644 >--- a/source4/heimdal/lib/krb5/pac.c >+++ b/source4/heimdal/lib/krb5/pac.c >@@ -724,7 +724,9 @@ build_logon_name(krb5_context context, > CHECK(ret, krb5_store_uint32(sp, t >> 32), out); > > ret = krb5_unparse_name_flags(context, principal, >- KRB5_PRINCIPAL_UNPARSE_NO_REALM, &s); >+ KRB5_PRINCIPAL_UNPARSE_NO_REALM| >+ KRB5_PRINCIPAL_UNPARSE_DISPLAY, >+ &s); > if (ret) > goto out; > >-- >2.1.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 11142
:
10829
|
10836
|
10851
|
10870
|
10874