The Samba-Bugzilla – Attachment 15750 Details for
Bug 14233
Follow-up to bug 14187: DelegationNotAllowed on server account
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
basic patch
14233.patch (text/plain), 5.99 KB, created by
Isaac Boukris
on 2020-01-23 12:21:41 UTC
(
hide
)
Description:
basic patch
Filename:
MIME Type:
Creator:
Isaac Boukris
Created:
2020-01-23 12:21:41 UTC
Size:
5.99 KB
patch
obsolete
>From 5774714ba4f0e7380f5383a113bbdcf974608d33 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Sun, 19 Jan 2020 16:24:24 +0100 >Subject: [PATCH 1/3] selftest: add test for disallowed-forwardable server > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >--- > selftest/knownfail.d/disallowed_forwardable_server | 1 + > testprogs/blackbox/test_s4u_heimdal.sh | 14 ++++++++++++-- > 2 files changed, 13 insertions(+), 2 deletions(-) > create mode 100644 selftest/knownfail.d/disallowed_forwardable_server > >diff --git a/selftest/knownfail.d/disallowed_forwardable_server b/selftest/knownfail.d/disallowed_forwardable_server >new file mode 100644 >index 00000000000..2e05909ab89 >--- /dev/null >+++ b/selftest/knownfail.d/disallowed_forwardable_server >@@ -0,0 +1 @@ >+^samba4.blackbox.krb5.s4u.test S4U2Proxy using received ticket >diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh >index 0e12c7ec096..e63c4ffcdf6 100755 >--- a/testprogs/blackbox/test_s4u_heimdal.sh >+++ b/testprogs/blackbox/test_s4u_heimdal.sh >@@ -54,7 +54,7 @@ testit "set not-delegated flag" $samba_tool user sensitive $princ on || failed=` > > > echo $PASSWORD > $PREFIX/tmppassfile >-testit "kinit with password" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` >+testit "kinit impersonator" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` > > testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator || failed=`expr $failed + 1` > testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` >@@ -68,6 +68,16 @@ testit "unset not-delegated flag" $samba_tool user sensitive $princ off || faile > testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1` > testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` > >+testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` >+testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` >+testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` > >-rm -f $ocache $PREFIX/tmpccache tmppassfile >+ >+testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1` >+testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` >+testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` >+testit_expect_failure "test S4U2Proxy using received ticket" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` >+ >+ >+rm -f $ocache $PREFIX/tmpccache $PREFIX/tmppassfile > exit $failed >-- >2.24.1 > > >From d8efc8913196d1d35fd9ce6fd3b42efb7dd96c52 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Mon, 13 Jan 2020 23:42:54 +0100 >Subject: [PATCH 2/3] heimdal: apply disallow-forwardable on server in TGS > request > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >--- > selftest/knownfail.d/disallowed_forwardable_server | 1 - > source4/heimdal/kdc/krb5tgs.c | 5 +++++ > 2 files changed, 5 insertions(+), 1 deletion(-) > delete mode 100644 selftest/knownfail.d/disallowed_forwardable_server > >diff --git a/selftest/knownfail.d/disallowed_forwardable_server b/selftest/knownfail.d/disallowed_forwardable_server >deleted file mode 100644 >index 2e05909ab89..00000000000 >--- a/selftest/knownfail.d/disallowed_forwardable_server >+++ /dev/null >@@ -1 +0,0 @@ >-^samba4.blackbox.krb5.s4u.test S4U2Proxy using received ticket >diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c >index ee3ac3d8f53..bf913a662b6 100644 >--- a/source4/heimdal/kdc/krb5tgs.c >+++ b/source4/heimdal/kdc/krb5tgs.c >@@ -866,6 +866,11 @@ tgs_make_reply(krb5_context context, > et.flags.anonymous = tgt->flags.anonymous; > et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate; > >+ if (!server->entry.flags.forwardable) >+ et.flags.forwardable = 0; >+ if (!server->entry.flags.proxiable) >+ et.flags.proxiable = 0; >+ > if(rspac->length) { > /* > * No not need to filter out the any PAC from the >-- >2.24.1 > > >From 5861e509eb1258218662750edc185a5f3db4c1e0 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Tue, 14 Jan 2020 13:16:02 +0100 >Subject: [PATCH 3/3] db-glue.c: set forwardable on cross-tgt tickets > >Signed-off-by: Isaac Boukris <iboukris@samba.org> >--- > source4/kdc/db-glue.c | 2 ++ > source4/kdc/mit_samba.c | 5 ----- > 2 files changed, 2 insertions(+), 5 deletions(-) > >diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c >index 023ae7b580d..1aa26e5ca33 100644 >--- a/source4/kdc/db-glue.c >+++ b/source4/kdc/db-glue.c >@@ -1556,6 +1556,8 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, > > entry_ex->entry.max_renew = NULL; > >+ entry_ex->entry.flags.forwardable = 1; >+ > ret = samba_kdc_sort_encryption_keys(entry_ex); > if (ret != 0) { > krb5_clear_error_message(context); >diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c >index 5a4f6e73e97..54dcd545ea1 100644 >--- a/source4/kdc/mit_samba.c >+++ b/source4/kdc/mit_samba.c >@@ -304,11 +304,6 @@ fetch_referral_principal: > > sdb_free_entry(&sentry); > >- if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) { >- kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE; >- kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE; >- } >- > done: > krb5_free_principal(ctx->context, referral_principal); > referral_principal = NULL; >-- >2.24.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
iboukris
:
review+
iboukris
:
review?
(
metze
)
iboukris
:
review?
(
abartlet
)
iboukris
:
ci-passed+
Actions:
View
Attachments on
bug 14233
:
15726
|
15730
|
15744
| 15750