From b041bc0345730663d241390efa2352ba4107ffad Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 16 Sep 2019 16:40:12 +0300 Subject: [PATCH 1/5] Adapt sign_authdata in our KDB module for krb5 v1.18 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider --- source4/kdc/mit-kdb/kdb_samba.c | 2 +- source4/kdc/mit-kdb/kdb_samba.h | 21 ++++++++++++++++++ source4/kdc/mit-kdb/kdb_samba_policies.c | 27 ++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c index c5157d6ed1b..02bbdca9f54 100644 --- a/source4/kdc/mit-kdb/kdb_samba.c +++ b/source4/kdc/mit-kdb/kdb_samba.c @@ -139,7 +139,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context, kdb_vftabl kdb_function_table = { .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, - .min_ver = 1, + .min_ver = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0, .init_library = kdb_samba_init_library, .fini_library = kdb_samba_fini_library, diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h index 22ef9085b6a..ad4f6e27573 100644 --- a/source4/kdc/mit-kdb/kdb_samba.h +++ b/source4/kdc/mit-kdb/kdb_samba.h @@ -114,6 +114,7 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context, /* from kdb_samba_policies.c */ +#if KRB5_KDB_API_VERSION < 10 krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, unsigned int flags, krb5_const_principal client_princ, @@ -127,6 +128,26 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krb5_timestamp authtime, krb5_authdata **tgt_auth_data, krb5_authdata ***signed_auth_data); +#else +krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + unsigned int flags, + krb5_const_principal client_princ, + krb5_const_principal server_princ, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_db_entry *local_krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_keyblock *local_krbtgt_key, + krb5_keyblock *session_key, + krb5_timestamp authtime, + krb5_authdata **tgt_auth_data, + void *authdata_info, + krb5_data ***auth_indicators, + krb5_authdata ***signed_auth_data); +#endif krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, krb5_kdc_req *kdcreq, diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index fc80329f221..586cf81451d 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -287,6 +287,7 @@ done: return code; } +#if KRB5_KDB_API_VERSION < 10 krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, unsigned int flags, krb5_const_principal client_princ, @@ -301,6 +302,27 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krb5_authdata **tgt_auth_data, krb5_authdata ***signed_auth_data) { +#else +krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, + unsigned int flags, + krb5_const_principal client_princ, + krb5_const_principal server_princ, + krb5_db_entry *client, + krb5_db_entry *server, + krb5_db_entry *krbtgt, + krb5_db_entry *local_krbtgt, + krb5_keyblock *client_key, + krb5_keyblock *server_key, + krb5_keyblock *krbtgt_key, + krb5_keyblock *local_krbtgt_key, + krb5_keyblock *session_key, + krb5_timestamp authtime, + krb5_authdata **tgt_auth_data, + void *authdata_info, + krb5_data ***auth_indicators, + krb5_authdata ***signed_auth_data) +{ +#endif krb5_const_principal ks_client_princ; krb5_authdata **authdata = NULL; krb5_boolean is_as_req; @@ -308,6 +330,11 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krb5_pac pac = NULL; krb5_data pac_data; +#if KRB5_KDB_API_VERSION >= 10 + krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; + krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; +#endif + /* Prefer canonicalised name from client entry */ if (client != NULL) { ks_client_princ = client->princ; -- 2.24.1 From f77de940e4437dbf0ef5ad14a7632068ef6a1721 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 16 Jan 2020 21:36:24 +0100 Subject: [PATCH 2/5] Fix uxsuccess test with new MIT krb5 library 1.18 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Guenther Deschner --- .../{knownfail.d/kinit_mit => knownfail_mit_krb5_pre_1_18} | 0 selftest/wscript | 3 +++ testprogs/blackbox/test_kinit_mit.sh | 4 ---- wscript_configure_system_mitkrb5 | 3 +++ 4 files changed, 6 insertions(+), 4 deletions(-) rename selftest/{knownfail.d/kinit_mit => knownfail_mit_krb5_pre_1_18} (100%) diff --git a/selftest/knownfail.d/kinit_mit b/selftest/knownfail_mit_krb5_pre_1_18 similarity index 100% rename from selftest/knownfail.d/kinit_mit rename to selftest/knownfail_mit_krb5_pre_1_18 diff --git a/selftest/wscript b/selftest/wscript index 4d03eb76842..501a5df5824 100644 --- a/selftest/wscript +++ b/selftest/wscript @@ -142,6 +142,9 @@ def cmd_testonly(opt): '--flapping=${srcdir}/selftest/flapping ' '--flapping=${srcdir}/selftest/flapping.d') + if CONFIG_GET(opt, 'HAVE_MIT_KRB5_PRE_1_18'): + env.FILTER_XFAIL += ' --expected-failures=${srcdir}/selftest/knownfail_mit_krb5_pre_1_18' + if Options.options.FAIL_IMMEDIATELY: env.FILTER_XFAIL += ' --fail-immediately' diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh index d28caecd603..61029a5e04c 100755 --- a/testprogs/blackbox/test_kinit_mit.sh +++ b/testprogs/blackbox/test_kinit_mit.sh @@ -134,10 +134,6 @@ testit "enable user with kerberos cache" $VALGRIND $PYTHON $samba_enableaccount ### Test kinit with canonicalization ########################################################### -# This is currently not working due to an upstream bug in MIT Kerberos. The -# test will ensure that we get notified when we can turn on canonicalization -# in ads_krb5_chg_password(). -# https://bugzilla.samba.org/show_bug.cgi?id=14155 upperusername=$(echo $USERNAME | tr '[a-z]' '[A-Z]') testit "kinit with canonicalize" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -C $upperusername@$REALM -S kadmin/changepw@$REALM || failed=`expr $failed + 1` diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 index b05ac3f3e50..23587797119 100644 --- a/wscript_configure_system_mitkrb5 +++ b/wscript_configure_system_mitkrb5 @@ -77,6 +77,9 @@ if conf.env.KRB5_CONFIG: else: Logs.info('MIT Kerberos %s detected, MIT krb5 build can proceed' % (krb5_version)) + if parse_version(krb5_version) < parse_version('1.18'): + conf.DEFINE('HAVE_MIT_KRB5_PRE_1_18', 1) + conf.CHECK_CFG(args="--cflags --libs", package="com_err", uselib_store="com_err") conf.CHECK_FUNCS_IN('_et_list', 'com_err') conf.CHECK_HEADERS('com_err.h', lib='com_err') -- 2.24.1 From 5ad6c7cab18ecfe436d107c1ed71574dbae39825 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 16 Jan 2020 22:00:21 +0100 Subject: [PATCH 3/5] Sign and verify PAC with ticket principal instead of canon principal With MIT library 1.18 the KDC no longer set KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows us to not canonicalize them (like in Windows / Heimdal). However, it now breaks the PAC signature verification as it was wrongly done using canonical client rather than ticket client name. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Guenther Deschner --- source4/kdc/mit-kdb/kdb_samba_policies.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index 586cf81451d..2eec496fa92 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -323,7 +323,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krb5_authdata ***signed_auth_data) { #endif - krb5_const_principal ks_client_princ; krb5_authdata **authdata = NULL; krb5_boolean is_as_req; krb5_error_code code; @@ -335,13 +334,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; #endif - /* Prefer canonicalised name from client entry */ - if (client != NULL) { - ks_client_princ = client->princ; - } else { - ks_client_princ = client_princ; - } - is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { @@ -354,7 +346,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, if (!is_as_req) { code = ks_verify_pac(context, flags, - ks_client_princ, + client_princ, client, server, krbtgt, @@ -381,7 +373,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, goto done; } - code = krb5_pac_sign(context, pac, authtime, ks_client_princ, + code = krb5_pac_sign(context, pac, authtime, client_princ, server_key, krbtgt_key, &pac_data); if (code != 0) { DBG_ERR("krb5_pac_sign failed: %d\n", code); -- 2.24.1 From d343726ed103ed8e0fe9bbce7e3dc8957cd11c1f Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 6 Mar 2020 17:15:45 +0100 Subject: [PATCH 4/5] selftest: Set KRB5RCACHETYPE to none for selftest This is required that out tests work with MIT KRB5 1.18. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342 Signed-off-by: Andreas Schneider Reviewed-by: Guenther Deschner Reviewed-by: Isaac Boukris --- selftest/selftest.pl | 1 + 1 file changed, 1 insertion(+) diff --git a/selftest/selftest.pl b/selftest/selftest.pl index b6094fef3b9..b166b28e0cb 100755 --- a/selftest/selftest.pl +++ b/selftest/selftest.pl @@ -451,6 +451,7 @@ my $testenv_default = "none"; if ($opt_mitkrb5 == 1) { $ENV{MITKRB5} = $opt_mitkrb5; + $ENV{KRB5RCACHETYPE} = "none"; } # After this many seconds, the server will self-terminate. All tests -- 2.24.1 From 698400f9f88d80ed30fb1cd196afbba1e8acd521 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 31 Jan 2020 22:34:21 +0100 Subject: [PATCH 5/5] mit-kdc: Explicitly reject S4U requests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Autobuild-User(master): Isaac Boukris Autobuild-Date(master): Tue Mar 10 14:46:04 UTC 2020 on sn-devel-184 --- source4/kdc/mit-kdb/kdb_samba_policies.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index 2eec496fa92..9197551ed61 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -334,6 +334,11 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; #endif + /* FIXME: We don't support S4U yet */ + if (flags & KRB5_KDB_FLAGS_S4U) { + return KRB5_KDB_DBTYPE_NOSUP; + } + is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { -- 2.24.1