From 5774714ba4f0e7380f5383a113bbdcf974608d33 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sun, 19 Jan 2020 16:24:24 +0100 Subject: [PATCH 1/3] selftest: add test for disallowed-forwardable server Signed-off-by: Isaac Boukris --- selftest/knownfail.d/disallowed_forwardable_server | 1 + testprogs/blackbox/test_s4u_heimdal.sh | 14 ++++++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 selftest/knownfail.d/disallowed_forwardable_server diff --git a/selftest/knownfail.d/disallowed_forwardable_server b/selftest/knownfail.d/disallowed_forwardable_server new file mode 100644 index 00000000000..2e05909ab89 --- /dev/null +++ b/selftest/knownfail.d/disallowed_forwardable_server @@ -0,0 +1 @@ +^samba4.blackbox.krb5.s4u.test S4U2Proxy using received ticket diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh index 0e12c7ec096..e63c4ffcdf6 100755 --- a/testprogs/blackbox/test_s4u_heimdal.sh +++ b/testprogs/blackbox/test_s4u_heimdal.sh @@ -54,7 +54,7 @@ testit "set not-delegated flag" $samba_tool user sensitive $princ on || failed=` echo $PASSWORD > $PREFIX/tmppassfile -testit "kinit with password" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` +testit "kinit impersonator" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator || failed=`expr $failed + 1` testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` @@ -68,6 +68,16 @@ testit "unset not-delegated flag" $samba_tool user sensitive $princ off || faile testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1` testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` +testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` +testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` +testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` -rm -f $ocache $PREFIX/tmpccache tmppassfile + +testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1` +testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` +testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` +testit_expect_failure "test S4U2Proxy using received ticket" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + + +rm -f $ocache $PREFIX/tmpccache $PREFIX/tmppassfile exit $failed -- 2.24.1 From d8efc8913196d1d35fd9ce6fd3b42efb7dd96c52 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 13 Jan 2020 23:42:54 +0100 Subject: [PATCH 2/3] heimdal: apply disallow-forwardable on server in TGS request Signed-off-by: Isaac Boukris --- selftest/knownfail.d/disallowed_forwardable_server | 1 - source4/heimdal/kdc/krb5tgs.c | 5 +++++ 2 files changed, 5 insertions(+), 1 deletion(-) delete mode 100644 selftest/knownfail.d/disallowed_forwardable_server diff --git a/selftest/knownfail.d/disallowed_forwardable_server b/selftest/knownfail.d/disallowed_forwardable_server deleted file mode 100644 index 2e05909ab89..00000000000 --- a/selftest/knownfail.d/disallowed_forwardable_server +++ /dev/null @@ -1 +0,0 @@ -^samba4.blackbox.krb5.s4u.test S4U2Proxy using received ticket diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index ee3ac3d8f53..bf913a662b6 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -866,6 +866,11 @@ tgs_make_reply(krb5_context context, et.flags.anonymous = tgt->flags.anonymous; et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate; + if (!server->entry.flags.forwardable) + et.flags.forwardable = 0; + if (!server->entry.flags.proxiable) + et.flags.proxiable = 0; + if(rspac->length) { /* * No not need to filter out the any PAC from the -- 2.24.1 From 5861e509eb1258218662750edc185a5f3db4c1e0 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 14 Jan 2020 13:16:02 +0100 Subject: [PATCH 3/3] db-glue.c: set forwardable on cross-tgt tickets Signed-off-by: Isaac Boukris --- source4/kdc/db-glue.c | 2 ++ source4/kdc/mit_samba.c | 5 ----- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 023ae7b580d..1aa26e5ca33 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1556,6 +1556,8 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, entry_ex->entry.max_renew = NULL; + entry_ex->entry.flags.forwardable = 1; + ret = samba_kdc_sort_encryption_keys(entry_ex); if (ret != 0) { krb5_clear_error_message(context); diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index 5a4f6e73e97..54dcd545ea1 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -304,11 +304,6 @@ fetch_referral_principal: sdb_free_entry(&sentry); - if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) { - kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE; - kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE; - } - done: krb5_free_principal(ctx->context, referral_principal); referral_principal = NULL; -- 2.24.1