Attachment 15902 Details for Bug 14342 – patch for 4.12 branch

[patch] patch for 4.12 branch

v412_krb5_v118.patch (text/plain), 12.07 KB, created by Isaac Boukris on 2020-04-09 19:42:54 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Isaac Boukris

Created: 2020-04-09 19:42:54 UTC

Size: 12.07 KB

patch

obsolete

>From b041bc0345730663d241390efa2352ba4107ffad Mon Sep 17 00:00:00 2001
>From: Isaac Boukris <iboukris@gmail.com>
>Date: Mon, 16 Sep 2019 16:40:12 +0300
>Subject: [PATCH 1/5] Adapt sign_authdata in our KDB module for krb5 v1.18
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342
>
>Signed-off-by: Isaac Boukris <iboukris@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>---
> source4/kdc/mit-kdb/kdb_samba.c          |  2 +-
> source4/kdc/mit-kdb/kdb_samba.h          | 21 ++++++++++++++++++
> source4/kdc/mit-kdb/kdb_samba_policies.c | 27 ++++++++++++++++++++++++
> 3 files changed, 49 insertions(+), 1 deletion(-)
>
>diff --git a/source4/kdc/mit-kdb/kdb_samba.c b/source4/kdc/mit-kdb/kdb_samba.c
>index c5157d6ed1b..02bbdca9f54 100644
>--- a/source4/kdc/mit-kdb/kdb_samba.c
>+++ b/source4/kdc/mit-kdb/kdb_samba.c
>@@ -139,7 +139,7 @@ static void kdb_samba_db_free_principal_e_data(krb5_context context,
> 
> kdb_vftabl kdb_function_table = {
> 	.maj_ver                   = KRB5_KDB_DAL_MAJOR_VERSION,
>-	.min_ver                   = 1,
>+	.min_ver                   = KRB5_KDB_DAL_MAJOR_VERSION == 6 ? 1 : 0,
> 
> 	.init_library              = kdb_samba_init_library,
> 	.fini_library              = kdb_samba_fini_library,
>diff --git a/source4/kdc/mit-kdb/kdb_samba.h b/source4/kdc/mit-kdb/kdb_samba.h
>index 22ef9085b6a..ad4f6e27573 100644
>--- a/source4/kdc/mit-kdb/kdb_samba.h
>+++ b/source4/kdc/mit-kdb/kdb_samba.h
>@@ -114,6 +114,7 @@ krb5_error_code kdb_samba_dbekd_encrypt_key_data(krb5_context context,
> 
> /* from kdb_samba_policies.c */
> 
>+#if KRB5_KDB_API_VERSION < 10
> krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
> 					    unsigned int flags,
> 					    krb5_const_principal client_princ,
>@@ -127,6 +128,26 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
> 					    krb5_timestamp authtime,
> 					    krb5_authdata **tgt_auth_data,
> 					    krb5_authdata ***signed_auth_data);
>+#else
>+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
>+					    unsigned int flags,
>+					    krb5_const_principal client_princ,
>+					    krb5_const_principal server_princ,
>+					    krb5_db_entry *client,
>+					    krb5_db_entry *server,
>+					    krb5_db_entry *krbtgt,
>+					    krb5_db_entry *local_krbtgt,
>+					    krb5_keyblock *client_key,
>+					    krb5_keyblock *server_key,
>+					    krb5_keyblock *krbtgt_key,
>+					    krb5_keyblock *local_krbtgt_key,
>+					    krb5_keyblock *session_key,
>+					    krb5_timestamp authtime,
>+					    krb5_authdata **tgt_auth_data,
>+					    void *authdata_info,
>+					    krb5_data ***auth_indicators,
>+					    krb5_authdata ***signed_auth_data);
>+#endif
> 
> krb5_error_code kdb_samba_db_check_policy_as(krb5_context context,
> 					     krb5_kdc_req *kdcreq,
>diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
>index fc80329f221..586cf81451d 100644
>--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
>+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
>@@ -287,6 +287,7 @@ done:
> 	return code;
> }
> 
>+#if KRB5_KDB_API_VERSION < 10
> krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
> 					    unsigned int flags,
> 					    krb5_const_principal client_princ,
>@@ -301,6 +302,27 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
> 					    krb5_authdata **tgt_auth_data,
> 					    krb5_authdata ***signed_auth_data)
> {
>+#else
>+krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
>+					    unsigned int flags,
>+					    krb5_const_principal client_princ,
>+					    krb5_const_principal server_princ,
>+					    krb5_db_entry *client,
>+					    krb5_db_entry *server,
>+					    krb5_db_entry *krbtgt,
>+					    krb5_db_entry *local_krbtgt,
>+					    krb5_keyblock *client_key,
>+					    krb5_keyblock *server_key,
>+					    krb5_keyblock *krbtgt_key,
>+					    krb5_keyblock *local_krbtgt_key,
>+					    krb5_keyblock *session_key,
>+					    krb5_timestamp authtime,
>+					    krb5_authdata **tgt_auth_data,
>+					    void *authdata_info,
>+					    krb5_data ***auth_indicators,
>+					    krb5_authdata ***signed_auth_data)
>+{
>+#endif
> 	krb5_const_principal ks_client_princ;
> 	krb5_authdata **authdata = NULL;
> 	krb5_boolean is_as_req;
>@@ -308,6 +330,11 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
> 	krb5_pac pac = NULL;
> 	krb5_data pac_data;
> 
>+#if KRB5_KDB_API_VERSION >= 10
>+	krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt;
>+	krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
>+#endif
>+
> 	/* Prefer canonicalised name from client entry */
> 	if (client != NULL) {
> 		ks_client_princ = client->princ;
>-- 
>2.24.1
>
>
>From f77de940e4437dbf0ef5ad14a7632068ef6a1721 Mon Sep 17 00:00:00 2001
>From: Isaac Boukris <iboukris@gmail.com>
>Date: Thu, 16 Jan 2020 21:36:24 +0100
>Subject: [PATCH 2/5] Fix uxsuccess test with new MIT krb5 library 1.18
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14155
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342
>
>Signed-off-by: Isaac Boukris <iboukris@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>Reviewed-by: Guenther Deschner <gd@samba.org>
>---
> .../{knownfail.d/kinit_mit => knownfail_mit_krb5_pre_1_18}    | 0
> selftest/wscript                                              | 3 +++
> testprogs/blackbox/test_kinit_mit.sh                          | 4 ----
> wscript_configure_system_mitkrb5                              | 3 +++
> 4 files changed, 6 insertions(+), 4 deletions(-)
> rename selftest/{knownfail.d/kinit_mit => knownfail_mit_krb5_pre_1_18} (100%)
>
>diff --git a/selftest/knownfail.d/kinit_mit b/selftest/knownfail_mit_krb5_pre_1_18
>similarity index 100%
>rename from selftest/knownfail.d/kinit_mit
>rename to selftest/knownfail_mit_krb5_pre_1_18
>diff --git a/selftest/wscript b/selftest/wscript
>index 4d03eb76842..501a5df5824 100644
>--- a/selftest/wscript
>+++ b/selftest/wscript
>@@ -142,6 +142,9 @@ def cmd_testonly(opt):
>                         '--flapping=${srcdir}/selftest/flapping '
>                         '--flapping=${srcdir}/selftest/flapping.d')
> 
>+    if CONFIG_GET(opt, 'HAVE_MIT_KRB5_PRE_1_18'):
>+        env.FILTER_XFAIL += ' --expected-failures=${srcdir}/selftest/knownfail_mit_krb5_pre_1_18'
>+
>     if Options.options.FAIL_IMMEDIATELY:
>         env.FILTER_XFAIL += ' --fail-immediately'
> 
>diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh
>index d28caecd603..61029a5e04c 100755
>--- a/testprogs/blackbox/test_kinit_mit.sh
>+++ b/testprogs/blackbox/test_kinit_mit.sh
>@@ -134,10 +134,6 @@ testit "enable user with kerberos cache" $VALGRIND $PYTHON $samba_enableaccount
> ### Test kinit with canonicalization
> ###########################################################
> 
>-# This is currently not working due to an upstream bug in MIT Kerberos. The
>-# test will ensure that we get notified when we can turn on canonicalization
>-# in ads_krb5_chg_password().
>-# https://bugzilla.samba.org/show_bug.cgi?id=14155
> upperusername=$(echo $USERNAME | tr '[a-z]' '[A-Z]')
> testit "kinit with canonicalize" $samba_texpect $PREFIX/tmpkinitscript $samba_kinit -C $upperusername@$REALM -S kadmin/changepw@$REALM || failed=`expr $failed + 1`
> 
>diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
>index b05ac3f3e50..23587797119 100644
>--- a/wscript_configure_system_mitkrb5
>+++ b/wscript_configure_system_mitkrb5
>@@ -77,6 +77,9 @@ if conf.env.KRB5_CONFIG:
>     else:
>         Logs.info('MIT Kerberos %s detected, MIT krb5 build can proceed' % (krb5_version))
> 
>+    if parse_version(krb5_version) < parse_version('1.18'):
>+        conf.DEFINE('HAVE_MIT_KRB5_PRE_1_18', 1)
>+
> conf.CHECK_CFG(args="--cflags --libs", package="com_err", uselib_store="com_err")
> conf.CHECK_FUNCS_IN('_et_list', 'com_err')
> conf.CHECK_HEADERS('com_err.h', lib='com_err')
>-- 
>2.24.1
>
>
>From 5ad6c7cab18ecfe436d107c1ed71574dbae39825 Mon Sep 17 00:00:00 2001
>From: Isaac Boukris <iboukris@gmail.com>
>Date: Thu, 16 Jan 2020 22:00:21 +0100
>Subject: [PATCH 3/5] Sign and verify PAC with ticket principal instead of
> canon principal
>
>With MIT library 1.18 the KDC no longer set
>KRB5_KDB_FLAG_CANONICALIZE for enterprise principals which allows
>us to not canonicalize them (like in Windows / Heimdal).
>
>However, it now breaks the PAC signature verification as it was
>wrongly done using canonical client rather than ticket client name.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342
>
>Signed-off-by: Isaac Boukris <iboukris@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>Reviewed-by: Guenther Deschner <gd@samba.org>
>---
> source4/kdc/mit-kdb/kdb_samba_policies.c | 12 ++----------
> 1 file changed, 2 insertions(+), 10 deletions(-)
>
>diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
>index 586cf81451d..2eec496fa92 100644
>--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
>+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
>@@ -323,7 +323,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
> 					    krb5_authdata ***signed_auth_data)
> {
> #endif
>-	krb5_const_principal ks_client_princ;
> 	krb5_authdata **authdata = NULL;
> 	krb5_boolean is_as_req;
> 	krb5_error_code code;
>@@ -335,13 +334,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
> 	krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
> #endif
> 
>-	/* Prefer canonicalised name from client entry */
>-	if (client != NULL) {
>-		ks_client_princ = client->princ;
>-	} else {
>-		ks_client_princ = client_princ;
>-	}
>-
> 	is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
> 
> 	if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
>@@ -354,7 +346,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
> 	if (!is_as_req) {
> 		code = ks_verify_pac(context,
> 				     flags,
>-				     ks_client_princ,
>+				     client_princ,
> 				     client,
> 				     server,
> 				     krbtgt,
>@@ -381,7 +373,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
> 		goto done;
> 	}
> 
>-	code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
>+	code = krb5_pac_sign(context, pac, authtime, client_princ,
> 			server_key, krbtgt_key, &pac_data);
> 	if (code != 0) {
> 		DBG_ERR("krb5_pac_sign failed: %d\n", code);
>-- 
>2.24.1
>
>
>From d343726ed103ed8e0fe9bbce7e3dc8957cd11c1f Mon Sep 17 00:00:00 2001
>From: Andreas Schneider <asn@samba.org>
>Date: Fri, 6 Mar 2020 17:15:45 +0100
>Subject: [PATCH 4/5] selftest: Set KRB5RCACHETYPE to none for selftest
>
>This is required that out tests work with MIT KRB5 1.18.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342
>
>Signed-off-by: Andreas Schneider <asn@samba.org>
>Reviewed-by: Guenther Deschner <gd@samba.org>
>Reviewed-by: Isaac Boukris <iboukris@samba.org>
>---
> selftest/selftest.pl | 1 +
> 1 file changed, 1 insertion(+)
>
>diff --git a/selftest/selftest.pl b/selftest/selftest.pl
>index b6094fef3b9..b166b28e0cb 100755
>--- a/selftest/selftest.pl
>+++ b/selftest/selftest.pl
>@@ -451,6 +451,7 @@ my $testenv_default = "none";
> 
> if ($opt_mitkrb5 == 1) {
> 	$ENV{MITKRB5} = $opt_mitkrb5;
>+	$ENV{KRB5RCACHETYPE} = "none";
> }
> 
> # After this many seconds, the server will self-terminate.  All tests
>-- 
>2.24.1
>
>
>From 698400f9f88d80ed30fb1cd196afbba1e8acd521 Mon Sep 17 00:00:00 2001
>From: Isaac Boukris <iboukris@gmail.com>
>Date: Fri, 31 Jan 2020 22:34:21 +0100
>Subject: [PATCH 5/5] mit-kdc: Explicitly reject S4U requests
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14342
>
>Signed-off-by: Isaac Boukris <iboukris@samba.org>
>Reviewed-by: Andreas Schneider <asn@samba.org>
>
>Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
>Autobuild-Date(master): Tue Mar 10 14:46:04 UTC 2020 on sn-devel-184
>---
> source4/kdc/mit-kdb/kdb_samba_policies.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
>diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
>index 2eec496fa92..9197551ed61 100644
>--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
>+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
>@@ -334,6 +334,11 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
> 	krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key;
> #endif
> 
>+	/* FIXME: We don't support S4U yet */
>+	if (flags & KRB5_KDB_FLAGS_S4U) {
>+		return KRB5_KDB_DBTYPE_NOSUP;
>+	}
>+
> 	is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
> 
> 	if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
>-- 
>2.24.1
>

Flags:

iboukris: review+
gd: review+
iboukris: ci-passed+

Actions: View

Attachments on bug 14342: 15902