The Samba-Bugzilla – Attachment 15744 Details for
Bug 14233
Follow-up to bug 14187: DelegationNotAllowed on server account
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for master
nd-server-master.patch (text/plain), 6.41 KB, created by
Isaac Boukris
on 2020-01-19 15:55:11 UTC
(
hide
)
Description:
patch for master
Filename:
MIME Type:
Creator:
Isaac Boukris
Created:
2020-01-19 15:55:11 UTC
Size:
6.41 KB
patch
obsolete
>From b631b6798c409ff33855a138fb68b7a90dc1ae8e Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Tue, 14 Jan 2020 13:16:02 +0100 >Subject: [PATCH 1/3] db-glue.c: set forwardable on cross-tgt tickets > >we should also set ok_as_delegate, but that's commented out for now. > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >--- > source4/kdc/db-glue.c | 9 +++++++++ > source4/kdc/mit_samba.c | 5 ----- > 2 files changed, 9 insertions(+), 5 deletions(-) > >diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c >index 023ae7b580d..ed78faa3ad0 100644 >--- a/source4/kdc/db-glue.c >+++ b/source4/kdc/db-glue.c >@@ -1556,6 +1556,15 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, > > entry_ex->entry.max_renew = NULL; > >+ /* Per MS-KILE 3.3.5.7.5 we should only remove ok-as-delegate if >+ * TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION flag is >+ * set in the trustAttributes. >+ * >+ * Otherwise to behave like Windows we should set ok-as-delegate, >+ * however as we never allowed it so i'm leaving commented out. */ >+ //entry_ex->entry.flags.ok_as_delegate = 1; >+ entry_ex->entry.flags.forwardable = 1; >+ > ret = samba_kdc_sort_encryption_keys(entry_ex); > if (ret != 0) { > krb5_clear_error_message(context); >diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c >index 5a4f6e73e97..54dcd545ea1 100644 >--- a/source4/kdc/mit_samba.c >+++ b/source4/kdc/mit_samba.c >@@ -304,11 +304,6 @@ fetch_referral_principal: > > sdb_free_entry(&sentry); > >- if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) { >- kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE; >- kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE; >- } >- > done: > krb5_free_principal(ctx->context, referral_principal); > referral_principal = NULL; >-- >2.21.1 > > >From 629d509c4c9d60b6fa1f047e4e4058fcc5ac9068 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Sun, 19 Jan 2020 16:24:24 +0100 >Subject: [PATCH 2/3] selftest: add test for disallowed-forwardable server > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >--- > selftest/knownfail.d/disallowed_forwardable_server | 1 + > testprogs/blackbox/test_s4u_heimdal.sh | 14 ++++++++++++-- > 2 files changed, 13 insertions(+), 2 deletions(-) > create mode 100644 selftest/knownfail.d/disallowed_forwardable_server > >diff --git a/selftest/knownfail.d/disallowed_forwardable_server b/selftest/knownfail.d/disallowed_forwardable_server >new file mode 100644 >index 00000000000..2e05909ab89 >--- /dev/null >+++ b/selftest/knownfail.d/disallowed_forwardable_server >@@ -0,0 +1 @@ >+^samba4.blackbox.krb5.s4u.test S4U2Proxy using received ticket >diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh >index 0e12c7ec096..e63c4ffcdf6 100755 >--- a/testprogs/blackbox/test_s4u_heimdal.sh >+++ b/testprogs/blackbox/test_s4u_heimdal.sh >@@ -54,7 +54,7 @@ testit "set not-delegated flag" $samba_tool user sensitive $princ on || failed=` > > > echo $PASSWORD > $PREFIX/tmppassfile >-testit "kinit with password" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` >+testit "kinit impersonator" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` > > testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator || failed=`expr $failed + 1` > testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` >@@ -68,6 +68,16 @@ testit "unset not-delegated flag" $samba_tool user sensitive $princ off || faile > testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1` > testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` > >+testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` >+testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` >+testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` > >-rm -f $ocache $PREFIX/tmpccache tmppassfile >+ >+testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1` >+testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` >+testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` >+testit_expect_failure "test S4U2Proxy using received ticket" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` >+ >+ >+rm -f $ocache $PREFIX/tmpccache $PREFIX/tmppassfile > exit $failed >-- >2.21.1 > > >From a34be0b10461ae475deb7db7e45fb4f773a6358f Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Mon, 13 Jan 2020 23:42:54 +0100 >Subject: [PATCH 3/3] heimdal: apply disallow-forwardable on server in TGS > request > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >--- > selftest/knownfail.d/disallowed_forwardable_server | 1 - > source4/heimdal/kdc/krb5tgs.c | 5 +++++ > 2 files changed, 5 insertions(+), 1 deletion(-) > delete mode 100644 selftest/knownfail.d/disallowed_forwardable_server > >diff --git a/selftest/knownfail.d/disallowed_forwardable_server b/selftest/knownfail.d/disallowed_forwardable_server >deleted file mode 100644 >index 2e05909ab89..00000000000 >--- a/selftest/knownfail.d/disallowed_forwardable_server >+++ /dev/null >@@ -1 +0,0 @@ >-^samba4.blackbox.krb5.s4u.test S4U2Proxy using received ticket >diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c >index ee3ac3d8f53..bf913a662b6 100644 >--- a/source4/heimdal/kdc/krb5tgs.c >+++ b/source4/heimdal/kdc/krb5tgs.c >@@ -866,6 +866,11 @@ tgs_make_reply(krb5_context context, > et.flags.anonymous = tgt->flags.anonymous; > et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate; > >+ if (!server->entry.flags.forwardable) >+ et.flags.forwardable = 0; >+ if (!server->entry.flags.proxiable) >+ et.flags.proxiable = 0; >+ > if(rspac->length) { > /* > * No not need to filter out the any PAC from the >-- >2.21.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15744">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
iboukris
:
review+
metze
:
review-
iboukris
:
ci-passed+
Actions:
View
Attachments on
bug 14233
:
15726
|
15730
|
15744
|
15750