The Samba-Bugzilla – Attachment 17193 Details for
Bug 14865
uncached logon on RODC always fails once
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-16-test
bfixes-tmp416.txt (text/plain), 35.85 KB, created by
Stefan Metzmacher
on 2022-03-07 18:53:05 UTC
(
hide
)
Description:
Patches for v4-16-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2022-03-07 18:53:05 UTC
Size:
35.85 KB
patch
obsolete
>From 1c7d891c05fbb644bed24fb2338e7a4fce6efa8a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 3 Mar 2022 19:17:06 +0100 >Subject: [PATCH 1/3] third_party/heimdal: import lorikeet-heimdal-202203031927 > (commit 7abc451ddd74d0c2e57dbb32f3198bde8def73ab) > >NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit f33f73f82fb2d5d96928ce5910e2d0d939c2ff57) >--- > third_party/heimdal/kdc/fast.c | 20 +++++-- > third_party/heimdal/kdc/kdc-accessors.h | 20 +++++++ > third_party/heimdal/kdc/kdc-plugin.c | 28 +++++----- > third_party/heimdal/kdc/kdc-plugin.h | 6 +-- > third_party/heimdal/kdc/kdc_locl.h | 5 ++ > third_party/heimdal/kdc/kerberos5.c | 17 ++++-- > third_party/heimdal/kdc/krb5tgs.c | 25 ++++++--- > third_party/heimdal/kdc/libkdc-exports.def | 3 ++ > third_party/heimdal/kdc/mssfu.c | 5 +- > third_party/heimdal/kdc/version-script.map | 3 ++ > third_party/heimdal/lib/asn1/krb5.asn1 | 54 ++++++++++++++++++- > .../heimdal/lib/asn1/libasn1-exports.def | 25 +++++++++ > third_party/heimdal/lib/krb5/krb5.h | 4 ++ > third_party/heimdal/lib/krb5/pac.c | 2 +- > third_party/heimdal/lib/krb5/principal.c | 9 +++- > .../heimdal/tests/plugin/kdc_test_plugin.c | 8 +-- > 16 files changed, 189 insertions(+), 45 deletions(-) > >diff --git a/third_party/heimdal/kdc/fast.c b/third_party/heimdal/kdc/fast.c >index 25cab3096b7f..043227892b5d 100644 >--- a/third_party/heimdal/kdc/fast.c >+++ b/third_party/heimdal/kdc/fast.c >@@ -464,7 +464,6 @@ fast_unwrap_request(astgs_request_t r, > krb5_flags ap_req_options; > krb5_keyblock armorkey; > krb5_keyblock explicit_armorkey; >- krb5_boolean explicit_armor; > krb5_error_code ret; > krb5_ap_req ap_req; > KrbFastReq fastreq; >@@ -518,7 +517,7 @@ fast_unwrap_request(astgs_request_t r, > goto out; > } > >- explicit_armor = fxreq.u.armored_data.armor != NULL && tgs_ac != NULL; >+ r->explicit_armor_present = fxreq.u.armored_data.armor != NULL && tgs_ac != NULL; > > /* > * >@@ -625,11 +624,11 @@ fast_unwrap_request(astgs_request_t r, > ac->remote_subkey, > &ticket->ticket.key, > &armorkey, >- explicit_armor ? NULL : &r->armor_crypto); >+ r->explicit_armor_present ? NULL : &r->armor_crypto); > if (ret) > goto out; > >- if (explicit_armor) { >+ if (r->explicit_armor_present) { > ret = _krb5_fast_explicit_armor_key(r->context, > &armorkey, > tgs_ac->remote_subkey, >@@ -869,7 +868,7 @@ _kdc_fast_check_armor_pac(astgs_request_t r) > if (ret) > goto out; > >- ret = _kdc_check_pac(r->context, r->config, armor_client_principal, NULL, >+ ret = _kdc_check_pac(r, armor_client_principal, NULL, > armor_client, r->armor_server, > r->armor_server, r->armor_server, > &r->armor_key->key, &r->armor_key->key, >@@ -887,6 +886,17 @@ _kdc_fast_check_armor_pac(astgs_request_t r) > goto out; > } > >+ if (r->explicit_armor_present) { >+ r->explicit_armor_clientdb = armor_db; >+ armor_db = NULL; >+ >+ r->explicit_armor_client = armor_client; >+ armor_client = NULL; >+ >+ r->explicit_armor_pac = mspac; >+ mspac = NULL; >+ } >+ > out: > krb5_xfree(armor_client_principal_name); > if (armor_client) >diff --git a/third_party/heimdal/kdc/kdc-accessors.h b/third_party/heimdal/kdc/kdc-accessors.h >index 81c03d2f2227..911b83d7576f 100644 >--- a/third_party/heimdal/kdc/kdc-accessors.h >+++ b/third_party/heimdal/kdc/kdc-accessors.h >@@ -346,4 +346,24 @@ ASTGS_REQUEST_GET_ACCESSOR(uint64_t, pac_attributes) > > ASTGS_REQUEST_SET_ACCESSOR(uint64_t, pac_attributes) > >+/* >+ * const HDB * >+ * kdc_request_get_explicit_armor_clientdb(astgs_request_t); >+ */ >+ >+ASTGS_REQUEST_GET_ACCESSOR_PTR(HDB *, explicit_armor_clientdb) >+ >+/* >+ * const hdb_entry * >+ * kdc_request_get_explicit_armor_client(astgs_request_t); >+ */ >+ASTGS_REQUEST_GET_ACCESSOR_PTR(hdb_entry *, explicit_armor_client); >+ >+/* >+ * krb5_const_pac >+ * kdc_request_get_explicit_armor_pac(astgs_request_t); >+ */ >+ >+ASTGS_REQUEST_GET_ACCESSOR_PTR(struct krb5_pac_data *, explicit_armor_pac); >+ > #endif /* HEIMDAL_KDC_KDC_ACCESSORS_H */ >diff --git a/third_party/heimdal/kdc/kdc-plugin.c b/third_party/heimdal/kdc/kdc-plugin.c >index 8759893a9560..925c250597a2 100644 >--- a/third_party/heimdal/kdc/kdc-plugin.c >+++ b/third_party/heimdal/kdc/kdc-plugin.c >@@ -72,7 +72,7 @@ krb5_kdc_plugin_init(krb5_context context) > } > > struct generate_uc { >- krb5_kdc_configuration *config; >+ astgs_request_t r; > hdb_entry *client; > hdb_entry *server; > const krb5_keyblock *reply_key; >@@ -90,8 +90,7 @@ generate(krb5_context context, const void *plug, void *plugctx, void *userctx) > return KRB5_PLUGIN_NO_HANDLE; > > return ft->pac_generate((void *)plug, >- context, >- uc->config, >+ uc->r, > uc->client, > uc->server, > uc->reply_key, >@@ -101,8 +100,7 @@ generate(krb5_context context, const void *plug, void *plugctx, void *userctx) > > > krb5_error_code >-_kdc_pac_generate(krb5_context context, >- krb5_kdc_configuration *config, >+_kdc_pac_generate(astgs_request_t r, > hdb_entry *client, > hdb_entry *server, > const krb5_keyblock *reply_key, >@@ -114,20 +112,20 @@ _kdc_pac_generate(krb5_context context, > > *pac = NULL; > >- if (krb5_config_get_bool_default(context, NULL, FALSE, "realms", >+ if (krb5_config_get_bool_default(r->context, NULL, FALSE, "realms", > client->principal->realm, > "disable_pac", NULL)) > return 0; > > if (have_plugin) { >- uc.config = config; >+ uc.r = r; > uc.client = client; > uc.server = server; > uc.reply_key = reply_key; > uc.pac = pac; > uc.pac_attributes = pac_attributes; > >- ret = _krb5_plugin_run_f(context, &kdc_plugin_data, >+ ret = _krb5_plugin_run_f(r->context, &kdc_plugin_data, > 0, &uc, generate); > if (ret != KRB5_PLUGIN_NO_HANDLE) > return ret; >@@ -135,13 +133,13 @@ _kdc_pac_generate(krb5_context context, > } > > if (*pac == NULL) >- ret = krb5_pac_init(context, pac); >+ ret = krb5_pac_init(r->context, pac); > > return ret; > } > > struct verify_uc { >- krb5_kdc_configuration *config; >+ astgs_request_t r; > krb5_principal client_principal; > krb5_principal delegated_proxy_principal; > hdb_entry *client; >@@ -161,8 +159,7 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx) > return KRB5_PLUGIN_NO_HANDLE; > > ret = ft->pac_verify((void *)plug, >- context, >- uc->config, >+ uc->r, > uc->client_principal, > uc->delegated_proxy_principal, > uc->client, uc->server, uc->krbtgt, uc->pac); >@@ -170,8 +167,7 @@ verify(krb5_context context, const void *plug, void *plugctx, void *userctx) > } > > krb5_error_code >-_kdc_pac_verify(krb5_context context, >- krb5_kdc_configuration *config, >+_kdc_pac_verify(astgs_request_t r, > const krb5_principal client_principal, > const krb5_principal delegated_proxy_principal, > hdb_entry *client, >@@ -184,7 +180,7 @@ _kdc_pac_verify(krb5_context context, > if (!have_plugin) > return KRB5_PLUGIN_NO_HANDLE; > >- uc.config = config; >+ uc.r = r; > uc.client_principal = client_principal; > uc.delegated_proxy_principal = delegated_proxy_principal; > uc.client = client; >@@ -192,7 +188,7 @@ _kdc_pac_verify(krb5_context context, > uc.krbtgt = krbtgt; > uc.pac = pac; > >- return _krb5_plugin_run_f(context, &kdc_plugin_data, >+ return _krb5_plugin_run_f(r->context, &kdc_plugin_data, > 0, &uc, verify); > } > >diff --git a/third_party/heimdal/kdc/kdc-plugin.h b/third_party/heimdal/kdc/kdc-plugin.h >index efe8dd6abe0e..9fc5946df173 100644 >--- a/third_party/heimdal/kdc/kdc-plugin.h >+++ b/third_party/heimdal/kdc/kdc-plugin.h >@@ -48,8 +48,7 @@ > > typedef krb5_error_code > (KRB5_CALLCONV *krb5plugin_kdc_pac_generate)(void *, >- krb5_context, /* context */ >- krb5_kdc_configuration *, /* configuration */ >+ astgs_request_t, > hdb_entry *, /* client */ > hdb_entry *, /* server */ > const krb5_keyblock *, /* pk_replykey */ >@@ -64,8 +63,7 @@ typedef krb5_error_code > > typedef krb5_error_code > (KRB5_CALLCONV *krb5plugin_kdc_pac_verify)(void *, >- krb5_context, /* context */ >- krb5_kdc_configuration *, /* configuration */ >+ astgs_request_t, > const krb5_principal, /* new ticket client */ > const krb5_principal, /* delegation proxy */ > hdb_entry *,/* client */ >diff --git a/third_party/heimdal/kdc/kdc_locl.h b/third_party/heimdal/kdc/kdc_locl.h >index 8418a91a0a4b..767d04f5c8c9 100644 >--- a/third_party/heimdal/kdc/kdc_locl.h >+++ b/third_party/heimdal/kdc/kdc_locl.h >@@ -167,6 +167,7 @@ struct astgs_request_desc { > /* only valid for tgs-req */ > unsigned int rk_is_subkey : 1; > unsigned int fast_asserted : 1; >+ unsigned int explicit_armor_present : 1; > > krb5_crypto armor_crypto; > hdb_entry *armor_server; >@@ -174,6 +175,10 @@ struct astgs_request_desc { > krb5_ticket *armor_ticket; > Key *armor_key; > >+ hdb_entry *explicit_armor_client; >+ HDB *explicit_armor_clientdb; >+ krb5_pac explicit_armor_pac; >+ > KDCFastState fast; > }; > >diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c >index b30d321f6f14..e95bdad0a640 100644 >--- a/third_party/heimdal/kdc/kerberos5.c >+++ b/third_party/heimdal/kdc/kerberos5.c >@@ -280,6 +280,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, > * enctype in its KDC-REQ-BODY's etype list, which is what > * `etypes' is here. > */ >+ enctype = p[i]; > ret = 0; > break; > } >@@ -295,6 +296,7 @@ _kdc_find_etype(astgs_request_t r, uint32_t flags, > */ > for (m = 0; m < princ->etypes->len; m++) { > if (p[i] == princ->etypes->val[m]) { >+ enctype = p[i]; > ret = 0; > break; > } >@@ -1856,8 +1858,7 @@ generate_pac(astgs_request_t r, const Key *skey, const Key *tkey, > * Validate a PA mech was actually used before doing this. > */ > >- ret = _kdc_pac_generate(r->context, >- r->config, >+ ret = _kdc_pac_generate(r, > r->client, > r->server, > r->pa_used && !pa_used_flag_isset(r, PA_USES_LONG_TERM_KEY) >@@ -2744,12 +2745,19 @@ _kdc_as_rep(astgs_request_t r) > > out: > r->error_code = ret; >- _kdc_audit_request(r); >+ { >+ krb5_error_code ret2 = _kdc_audit_request(r); >+ if (ret2) { >+ krb5_data_free(r->reply); >+ ret = ret2; >+ } >+ } > > /* > * In case of a non proxy error, build an error message. > */ >- if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && r->reply->length == 0) >+ if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && r->reply->length == 0) { >+ kdc_log(r->context, config, 5, "as-req: sending error: %d to client", ret); > ret = _kdc_fast_mk_error(r, > r->rep.padata, > r->armor_crypto, >@@ -2759,6 +2767,7 @@ out: > r->server_princ, > NULL, NULL, > r->reply); >+ } > > if (r->pa_used && r->pa_used->cleanup) > r->pa_used->cleanup(r); >diff --git a/third_party/heimdal/kdc/krb5tgs.c b/third_party/heimdal/kdc/krb5tgs.c >index 39d42106e01e..06889f47120e 100644 >--- a/third_party/heimdal/kdc/krb5tgs.c >+++ b/third_party/heimdal/kdc/krb5tgs.c >@@ -76,8 +76,7 @@ _kdc_synthetic_princ_used_p(krb5_context context, krb5_ticket *ticket) > */ > > krb5_error_code >-_kdc_check_pac(krb5_context context, >- krb5_kdc_configuration *config, >+_kdc_check_pac(astgs_request_t r, > const krb5_principal client_principal, > const krb5_principal delegated_proxy_principal, > hdb_entry *client, >@@ -92,6 +91,8 @@ _kdc_check_pac(krb5_context context, > krb5_principal *pac_canon_name, > uint64_t *pac_attributes) > { >+ krb5_context context = r->context; >+ krb5_kdc_configuration *config = r->config; > krb5_pac pac = NULL; > krb5_error_code ret; > krb5_boolean signedticket; >@@ -139,7 +140,7 @@ _kdc_check_pac(krb5_context context, > } > > /* Verify the KDC signatures. */ >- ret = _kdc_pac_verify(context, config, >+ ret = _kdc_pac_verify(r, > client_principal, delegated_proxy_principal, > client, server, krbtgt, &pac); > if (ret == 0) { >@@ -1770,7 +1771,7 @@ server_lookup: > } > > /* Verify the PAC of the TGT. */ >- ret = _kdc_check_pac(context, config, user2user_princ, NULL, >+ ret = _kdc_check_pac(priv, user2user_princ, NULL, > user2user_client, user2user_krbtgt, user2user_krbtgt, user2user_krbtgt, > &uukey->key, &priv->ticket_key->key, &adtkt, > &user2user_kdc_issued, &user2user_pac, NULL, NULL); >@@ -1897,7 +1898,7 @@ server_lookup: > flags &= ~HDB_F_SYNTHETIC_OK; > priv->clientdb = clientdb; > >- ret = _kdc_check_pac(context, config, priv->client_princ, NULL, >+ ret = _kdc_check_pac(priv, priv->client_princ, NULL, > priv->client, priv->server, > priv->krbtgt, priv->krbtgt, > &priv->ticket_key->key, &priv->ticket_key->key, tgt, >@@ -2156,7 +2157,13 @@ _kdc_tgs_rep(astgs_request_t r) > > out: > r->error_code = ret; >- _kdc_audit_request(r); >+ { >+ krb5_error_code ret2 = _kdc_audit_request(r); >+ if (ret2) { >+ krb5_data_free(data); >+ ret = ret2; >+ } >+ } > > if(ret && ret != HDB_ERR_NOT_FOUND_HERE && data->data == NULL){ > METHOD_DATA error_method = { 0, NULL }; >@@ -2203,6 +2210,12 @@ out: > krb5_free_ticket(r->context, r->armor_ticket); > if (r->armor_server) > _kdc_free_ent(r->context, r->armor_serverdb, r->armor_server); >+ if (r->explicit_armor_client) >+ _kdc_free_ent(r->context, >+ r->explicit_armor_clientdb, >+ r->explicit_armor_client); >+ if (r->explicit_armor_pac) >+ krb5_pac_free(r->context, r->explicit_armor_pac); > krb5_free_keyblock_contents(r->context, &r->reply_key); > krb5_free_keyblock_contents(r->context, &r->strengthen_key); > >diff --git a/third_party/heimdal/kdc/libkdc-exports.def b/third_party/heimdal/kdc/libkdc-exports.def >index 3cc929e6025b..2c4564bcadcc 100644 >--- a/third_party/heimdal/kdc/libkdc-exports.def >+++ b/third_party/heimdal/kdc/libkdc-exports.def >@@ -33,6 +33,9 @@ EXPORTS > kdc_request_get_config > kdc_request_get_cname > kdc_request_get_error_code >+ kdc_request_get_explicit_armor_pac >+ kdc_request_get_explicit_armor_clientdb >+ kdc_request_get_explicit_armor_client > kdc_request_get_from > kdc_request_get_krbtgt > kdc_request_get_krbtgtdb >diff --git a/third_party/heimdal/kdc/mssfu.c b/third_party/heimdal/kdc/mssfu.c >index 9e67aad33193..fda5a37b1c6e 100644 >--- a/third_party/heimdal/kdc/mssfu.c >+++ b/third_party/heimdal/kdc/mssfu.c >@@ -252,8 +252,7 @@ validate_protocol_transition(astgs_request_t r) > if (ret) > goto out; /* kdc_check_flags() calls kdc_audit_addreason() */ > >- ret = _kdc_pac_generate(r->context, >- r->config, >+ ret = _kdc_pac_generate(r, > s4u_client, > r->server, > NULL, >@@ -473,7 +472,7 @@ validate_constrained_delegation(astgs_request_t r) > * TODO: pass in t->sname and t->realm and build > * a S4U_DELEGATION_INFO blob to the PAC. > */ >- ret = _kdc_check_pac(r->context, r->config, s4u_client_name, s4u_server_name, >+ ret = _kdc_check_pac(r, s4u_client_name, s4u_server_name, > s4u_client, r->server, r->krbtgt, r->client, > &clientkey->key, &r->ticket_key->key, &evidence_tkt, > &ad_kdc_issued, &s4u_pac, >diff --git a/third_party/heimdal/kdc/version-script.map b/third_party/heimdal/kdc/version-script.map >index 9067bb6e43f4..72a21e629506 100644 >--- a/third_party/heimdal/kdc/version-script.map >+++ b/third_party/heimdal/kdc/version-script.map >@@ -36,6 +36,9 @@ HEIMDAL_KDC_1.0 { > kdc_request_get_config; > kdc_request_get_cname; > kdc_request_get_error_code; >+ kdc_request_get_explicit_armor_pac; >+ kdc_request_get_explicit_armor_clientdb; >+ kdc_request_get_explicit_armor_client; > kdc_request_get_from; > kdc_request_get_krbtgt; > kdc_request_get_krbtgtdb; >diff --git a/third_party/heimdal/lib/asn1/krb5.asn1 b/third_party/heimdal/lib/asn1/krb5.asn1 >index 639ec5af2d25..d7ce6bd6333d 100644 >--- a/third_party/heimdal/lib/asn1/krb5.asn1 >+++ b/third_party/heimdal/lib/asn1/krb5.asn1 >@@ -55,8 +55,12 @@ EXPORTS > PA-ClientCanonicalizedNames, > PA-DATA, > PA-ENC-TS-ENC, >+ PA-KERB-KEY-LIST-REP, >+ PA-KERB-KEY-LIST-REQ, >+ PA-PAC-OPTIONS, > PA-PAC-REQUEST, > PA-S4U2Self, >+ PA-S4U-X509-USER, > PA-SERVER-REFERRAL-DATA, > PA-ServerReferralData, > PA-SvrReferralData, >@@ -80,6 +84,7 @@ EXPORTS > KDCFastState, > KDCFastCookie, > KDC-PROXY-MESSAGE, >+ KERB-AD-RESTRICTION-ENTRY, > KERB-TIMES, > KERB-CRED, > KERB-TGS-REQ-IN, >@@ -190,7 +195,10 @@ PADATA-TYPE ::= INTEGER { > KRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon > KRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u > KRB5-PADATA-REQ-ENC-PA-REP(149), -- >+ KER5-PADATA-KERB-KEY-LIST-REQ(161), -- MS-KILE >+ KER5-PADATA-KERB-PAKEY-LIST-REP(162), -- MS-KILE > KRB5-PADATA-SUPPORTED-ETYPES(165), -- MS-KILE >+ KRB5-PADATA-PAC-OPTIONS(167), -- MS-KILE > KRB5-PADATA-GSS(655) -- krb-wg-gss-preauth > > } >@@ -217,7 +225,10 @@ AUTHDATA-TYPE ::= INTEGER { > KRB5-AUTHDATA-SIGNTICKET-OLD(142), > KRB5-AUTHDATA-SIGNTICKET(512), > KRB5-AUTHDATA-SYNTHETIC-PRINC-USED(513), -- principal was synthetised >- KRB5-AUTHDATA-AP-OPTIONS(143), >+ KRB5-AUTHDATA-KERB-LOCAL(141), -- MS-KILE >+ KRB5-AUTHDATA-TOKEN-RESTRICTIONS(142), -- MS-KILE >+ KRB5-AUTHDATA-AP-OPTIONS(143), -- MS-KILE >+ KRB5-AUTHDATA-TARGET-PRINCIPAL(144), -- MS-KILE > -- N.B. these assignments have not been confirmed yet. > -- > -- DO NOT USE in production yet! >@@ -592,6 +603,33 @@ PA-PAC-REQUEST ::= SEQUENCE { > -- should be included or not > } > >+-- MS-KILE/MS-SFU >+PAC-OPTIONS-FLAGS ::= BIT STRING { >+ claims(0), >+ branch-aware(1), >+ forward-to-full-dc(2), >+ resource-based-constrained-delegation(3) >+} >+ >+-- MS-KILE >+PA-PAC-OPTIONS ::= SEQUENCE { >+ flags [0] PAC-OPTIONS-FLAGS >+} >+ >+-- MS-KILE >+-- captures show that [UNIVERSAL 16] is required to parse it >+KERB-AD-RESTRICTION-ENTRY ::= [UNIVERSAL 16] SEQUENCE { >+ restriction-type [0] Krb5Int32, >+ restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure >+} >+ >+-- MS-KILE Section 2.2.11 >+PA-KERB-KEY-LIST-REQ ::= SEQUENCE OF ENCTYPE >+ >+-- MS-KILE Section 2.2.12 >+ >+PA-KERB-KEY-LIST-REP ::= SEQUENCE OF ENCTYPE -- EncryptionType, >+ > -- PacketCable provisioning server location, PKT-SP-SEC-I09-030728.pdf > PROV-SRV-LOCATION ::= GeneralString > >@@ -819,6 +857,20 @@ PA-S4U2Self ::= SEQUENCE { > auth[3] GeneralString > } > >+PA-S4U-X509-USER::= SEQUENCE { >+ user-id[0] S4UUserID, >+ checksum[1] Checksum >+} >+ >+S4UUserID ::= SEQUENCE { >+ nonce [0] Krb5UInt32, -- the nonce in KDC-REQ-BODY >+ cname [1] PrincipalName OPTIONAL, -- Certificate mapping hints >+ crealm [2] Realm, >+ subject-certificate [3] OCTET STRING OPTIONAL, >+ options [4] BIT STRING OPTIONAL, >+ ... >+} >+ > AD-LoginAlias ::= SEQUENCE { -- ad-type number TBD -- > login-alias [0] PrincipalName, > checksum [1] Checksum >diff --git a/third_party/heimdal/lib/asn1/libasn1-exports.def b/third_party/heimdal/lib/asn1/libasn1-exports.def >index 15d3a37bebaf..a7cb720bda3d 100644 >--- a/third_party/heimdal/lib/asn1/libasn1-exports.def >+++ b/third_party/heimdal/lib/asn1/libasn1-exports.def >@@ -445,6 +445,7 @@ EXPORTS > copy_KDC_REQ > copy_KDC_REQ_BODY > copy_KDFAlgorithmId >+ copy_KERB_AD_RESTRICTION_ENTRY > copy_KERB_ARMOR_SERVICE_REPLY > copy_KERB_CRED > copy_KerberosString >@@ -517,12 +518,16 @@ EXPORTS > copy_PA_ENC_TS_ENC > copy_PA_FX_FAST_REPLY > copy_PA_FX_FAST_REQUEST >+ copy_PA_KERB_KEY_LIST_REP >+ copy_PA_KERB_KEY_LIST_REQ >+ copy_PA_PAC_OPTIONS > copy_PA_PAC_REQUEST > copy_PA_PK_AS_REP > copy_PA_PK_AS_REP_BTMM > copy_PA_PK_AS_REP_Win2k > copy_PA_PK_AS_REQ > copy_PA_PK_AS_REQ_Win2k >+ copy_PA_S4U_X509_USER > copy_PA_S4U2Self > copy_PA_SAM_CHALLENGE_2 > copy_PA_SAM_CHALLENGE_2_BODY >@@ -805,6 +810,7 @@ EXPORTS > decode_KDC_REQ > decode_KDC_REQ_BODY > decode_KDFAlgorithmId >+ decode_KERB_AD_RESTRICTION_ENTRY > decode_KERB_ARMOR_SERVICE_REPLY > decode_KERB_CRED > decode_KerberosString >@@ -877,12 +883,16 @@ EXPORTS > decode_PA_ENC_TS_ENC > decode_PA_FX_FAST_REPLY > decode_PA_FX_FAST_REQUEST >+ decode_PA_KERB_KEY_LIST_REP >+ decode_PA_KERB_KEY_LIST_REQ >+ decode_PA_PAC_OPTIONS > decode_PA_PAC_REQUEST > decode_PA_PK_AS_REP > decode_PA_PK_AS_REP_BTMM > decode_PA_PK_AS_REP_Win2k > decode_PA_PK_AS_REQ > decode_PA_PK_AS_REQ_Win2k >+ decode_PA_S4U_X509_USER > decode_PA_S4U2Self > decode_PA_SAM_CHALLENGE_2 > decode_PA_SAM_CHALLENGE_2_BODY >@@ -1311,6 +1321,7 @@ EXPORTS > encode_KDC_REQ > encode_KDC_REQ_BODY > encode_KDFAlgorithmId >+ encode_KERB_AD_RESTRICTION_ENTRY > encode_KERB_ARMOR_SERVICE_REPLY > encode_KERB_CRED > encode_KerberosString >@@ -1383,12 +1394,16 @@ EXPORTS > encode_PA_ENC_TS_ENC > encode_PA_FX_FAST_REPLY > encode_PA_FX_FAST_REQUEST >+ encode_PA_KERB_KEY_LIST_REP >+ encode_PA_KERB_KEY_LIST_REQ >+ encode_PA_PAC_OPTIONS > encode_PA_PAC_REQUEST > encode_PA_PK_AS_REP > encode_PA_PK_AS_REP_BTMM > encode_PA_PK_AS_REP_Win2k > encode_PA_PK_AS_REQ > encode_PA_PK_AS_REQ_Win2k >+ encode_PA_S4U_X509_USER > encode_PA_S4U2Self > encode_PA_SAM_CHALLENGE_2 > encode_PA_SAM_CHALLENGE_2_BODY >@@ -1672,6 +1687,7 @@ EXPORTS > free_KDC_REQ > free_KDC_REQ_BODY > free_KDFAlgorithmId >+ free_KERB_AD_RESTRICTION_ENTRY > free_KERB_ARMOR_SERVICE_REPLY > free_KERB_CRED > free_KerberosString >@@ -1744,12 +1760,16 @@ EXPORTS > free_PA_ENC_TS_ENC > free_PA_FX_FAST_REPLY > free_PA_FX_FAST_REQUEST >+ free_PA_KERB_KEY_LIST_REP >+ free_PA_KERB_KEY_LIST_REQ >+ free_PA_PAC_OPTIONS > free_PA_PAC_REQUEST > free_PA_PK_AS_REP > free_PA_PK_AS_REP_BTMM > free_PA_PK_AS_REP_Win2k > free_PA_PK_AS_REQ > free_PA_PK_AS_REQ_Win2k >+ free_PA_S4U_X509_USER > free_PA_S4U2Self > free_PA_SAM_CHALLENGE_2 > free_PA_SAM_CHALLENGE_2_BODY >@@ -2052,6 +2072,7 @@ EXPORTS > length_KDC_REQ > length_KDC_REQ_BODY > length_KDFAlgorithmId >+ length_KERB_AD_RESTRICTION_ENTRY > length_KERB_ARMOR_SERVICE_REPLY > length_KERB_CRED > length_KerberosString >@@ -2124,12 +2145,16 @@ EXPORTS > length_PA_ENC_TS_ENC > length_PA_FX_FAST_REPLY > length_PA_FX_FAST_REQUEST >+ length_PA_KERB_KEY_LIST_REP >+ length_PA_KERB_KEY_LIST_REQ >+ length_PA_PAC_OPTIONS > length_PA_PAC_REQUEST > length_PA_PK_AS_REP > length_PA_PK_AS_REP_BTMM > length_PA_PK_AS_REP_Win2k > length_PA_PK_AS_REQ > length_PA_PK_AS_REQ_Win2k >+ length_PA_S4U_X509_USER > length_PA_S4U2Self > length_PA_SAM_CHALLENGE_2 > length_PA_SAM_CHALLENGE_2_BODY >diff --git a/third_party/heimdal/lib/krb5/krb5.h b/third_party/heimdal/lib/krb5/krb5.h >index e78edcac9af5..e4a9e7ec882c 100644 >--- a/third_party/heimdal/lib/krb5/krb5.h >+++ b/third_party/heimdal/lib/krb5/krb5.h >@@ -275,6 +275,10 @@ typedef enum krb5_key_usage { > KRB5_KU_PA_SERVER_REFERRAL = 26, > /* Keyusage for the server referral in a TGS req */ > KRB5_KU_SAM_ENC_NONCE_SAD = 27, >+ /* Defined in [MS-SFU] */ >+ KRB5_KU_PA_S4U_X509_USER_REQUEST = 26, >+ /* Defined in [MS-SFU] */ >+ KRB5_KU_PA_S4U_X509_USER_REPLY = 27, > /* Encryption of the SAM-NONCE-OR-SAD field */ > KRB5_KU_PA_PKINIT_KX = 44, > /* Encryption type of the kdc session contribution in pk-init */ >diff --git a/third_party/heimdal/lib/krb5/pac.c b/third_party/heimdal/lib/krb5/pac.c >index 2bdeae8ecd1d..a12c00d77328 100644 >--- a/third_party/heimdal/lib/krb5/pac.c >+++ b/third_party/heimdal/lib/krb5/pac.c >@@ -383,7 +383,7 @@ krb5_pac_add_buffer(krb5_context context, krb5_pac p, > size_t len, offset, header_end, old_end; > uint32_t i; > >- assert(data->length > 0 && data->data != NULL); >+ assert(data->data != NULL); > > len = p->pac->numbuffers; > >diff --git a/third_party/heimdal/lib/krb5/principal.c b/third_party/heimdal/lib/krb5/principal.c >index 6080e4623415..91743488d9fb 100644 >--- a/third_party/heimdal/lib/krb5/principal.c >+++ b/third_party/heimdal/lib/krb5/principal.c >@@ -789,6 +789,9 @@ krb5_make_principal(krb5_context context, > krb5_error_code ret; > krb5_realm r = NULL; > va_list ap; >+ >+ *principal = NULL; >+ > if(realm == NULL) { > ret = krb5_get_default_realm(context, &r); > if(ret) >@@ -943,7 +946,11 @@ krb5_copy_principal(krb5_context context, > krb5_const_principal inprinc, > krb5_principal *outprinc) > { >- krb5_principal p = malloc(sizeof(*p)); >+ krb5_principal p; >+ >+ *outprinc = NULL; >+ >+ p = malloc(sizeof(*p)); > if (p == NULL) > return krb5_enomem(context); > if(copy_Principal(inprinc, p)) { >diff --git a/third_party/heimdal/tests/plugin/kdc_test_plugin.c b/third_party/heimdal/tests/plugin/kdc_test_plugin.c >index 4fcf311fddfe..ff33b5f7262c 100644 >--- a/third_party/heimdal/tests/plugin/kdc_test_plugin.c >+++ b/third_party/heimdal/tests/plugin/kdc_test_plugin.c >@@ -20,14 +20,14 @@ fini(void *ctx) > > static krb5_error_code KRB5_CALLCONV > pac_generate(void *ctx, >- krb5_context context, >- krb5_kdc_configuration *config, >+ astgs_request_t r, > hdb_entry *client, > hdb_entry *server, > const krb5_keyblock *pk_replykey, > uint64_t pac_attributes, > krb5_pac *pac) > { >+ krb5_context context = kdc_request_get_context((kdc_request_t)r); > krb5_error_code ret; > krb5_data data; > >@@ -55,8 +55,7 @@ pac_generate(void *ctx, > > static krb5_error_code KRB5_CALLCONV > pac_verify(void *ctx, >- krb5_context context, >- krb5_kdc_configuration *config, >+ astgs_request_t r, > const krb5_principal new_ticket_client, > const krb5_principal delegation_proxy, > hdb_entry * client, >@@ -64,6 +63,7 @@ pac_verify(void *ctx, > hdb_entry * krbtgt, > krb5_pac *pac) > { >+ krb5_context context = kdc_request_get_context((kdc_request_t)r); > krb5_error_code ret; > krb5_data data; > krb5_cksumtype cstype; >-- >2.25.1 > > >From 01d478a68221669094e74b3a9a8612d2e6ad7b0d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 24 Feb 2022 21:31:52 +0100 >Subject: [PATCH 2/3] s4:kdc: let pac functions in wdc-samba4.c take > astgs_request_t > >NOTE: This commit finally works again! > >This aligns us with the following Heimdal change: > > commit 11d8a053f50c88256b4d49c7e482c2eb8f6bde33 > Author: Stefan Metzmacher <metze@samba.org> > AuthorDate: Thu Feb 24 18:27:09 2022 +0100 > Commit: Luke Howard <lukeh@padl.com> > CommitDate: Thu Mar 3 09:58:48 2022 +1100 > > kdc-plugin: also pass astgs_request_t to the pac related functions > > This is more consistent and allows the pac hooks to be more flexible. > > Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 27ee5ad713b760e8226537d79c529ace1efb07bf) >--- > source4/kdc/wdc-samba4.c | 10 ++++++---- > 1 file changed, 6 insertions(+), 4 deletions(-) > >diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c >index dfca27175a21..7f99233440e7 100644 >--- a/source4/kdc/wdc-samba4.c >+++ b/source4/kdc/wdc-samba4.c >@@ -36,14 +36,15 @@ > * > * For PKINIT we also get pk_reply_key and can add PAC_CREDENTIAL_INFO. > */ >-static krb5_error_code samba_wdc_get_pac(void *priv, krb5_context context, >- krb5_kdc_configuration *config, >+static krb5_error_code samba_wdc_get_pac(void *priv, >+ astgs_request_t r, > hdb_entry *client, > hdb_entry *server, > const krb5_keyblock *pk_reply_key, > uint64_t pac_attributes, > krb5_pac *pac) > { >+ krb5_context context = kdc_request_get_context((kdc_request_t)r); > TALLOC_CTX *mem_ctx; > DATA_BLOB *logon_blob = NULL; > DATA_BLOB *cred_ndr = NULL; >@@ -663,8 +664,7 @@ out: > > /* Resign (and reform, including possibly new groups) a PAC */ > >-static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context, >- krb5_kdc_configuration *config, >+static krb5_error_code samba_wdc_reget_pac(void *priv, astgs_request_t r, > const krb5_principal client_principal, > const krb5_principal delegated_proxy_principal, > hdb_entry *client, >@@ -672,6 +672,8 @@ static krb5_error_code samba_wdc_reget_pac(void *priv, krb5_context context, > hdb_entry *krbtgt, > krb5_pac *pac) > { >+ krb5_context context = kdc_request_get_context((kdc_request_t)r); >+ krb5_kdc_configuration *config = kdc_request_get_config((kdc_request_t)r); > struct samba_kdc_entry *krbtgt_skdc_entry = > talloc_get_type_abort(krbtgt->context, > struct samba_kdc_entry); >-- >2.25.1 > > >From 9c31948acd517de4135694b5a41b10a7360ebca6 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 21 Feb 2022 10:29:12 +0100 >Subject: [PATCH 3/3] s4:kdc: redirect pre-authentication failures to an RWDC > >The most important case is that we still have a previous >password cached at the RODC and the inbound replication >hasn't wiped the cache yet and we also haven't triggered >a new replication yet. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14865 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 0f5d7ff1a9fd14fd412b09883d413d1d660fa7be) >--- > selftest/knownfail | 1 - > source4/dsdb/tests/python/rodc_rwdc.py | 3 +- > source4/kdc/hdb-samba4.c | 93 +++++++------------------- > 3 files changed, 24 insertions(+), 73 deletions(-) > >diff --git a/selftest/knownfail b/selftest/knownfail >index 2a5287cba2df..7e897dd026d5 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -377,7 +377,6 @@ > ^samba.tests.auth_log_pass_change.samba.tests.auth_log_pass_change.AuthLogPassChangeTests.test_rap_change_password\(ad_dc_ntvfs\) > # We currently don't send referrals for LDAP modify of non-replicated attrs > ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.* >-^samba4.ldap.rodc_rwdc.python.*.__main__.RodcRwdcTests.test_change_password_reveal_on_demand_kerberos > # NETLOGON is disabled in any non-DC environments > ^samba.tests.netlogonsvc.python\(ad_member\) > ^samba.tests.netlogonsvc.python\(simpleserver\) >diff --git a/source4/dsdb/tests/python/rodc_rwdc.py b/source4/dsdb/tests/python/rodc_rwdc.py >index 74e0773abc37..beea26e8e1ae 100644 >--- a/source4/dsdb/tests/python/rodc_rwdc.py >+++ b/source4/dsdb/tests/python/rodc_rwdc.py >@@ -1146,8 +1146,7 @@ class RodcRwdcTests(password_lockout_base.BasePasswordTestCase): > > creds2 = make_creds(username, password) > self.try_ldap_logon(RWDC, creds2) >- # We can forward WRONG_PASSWORD over NTLM. >- # This SHOULD succeed. >+ # The RODC forward WRONG_PASSWORD to the RWDC > self.try_ldap_logon(RODC, creds2) > > def test_change_password_reveal_on_demand_ntlm(self): >diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c >index 6e87345e2c31..3f573f297f89 100644 >--- a/source4/kdc/hdb-samba4.c >+++ b/source4/kdc/hdb-samba4.c >@@ -466,60 +466,6 @@ static void reset_bad_password_netlogon(TALLOC_CTX *mem_ctx, > irpc_handle, &req); > } > >-static void send_bad_password_netlogon(TALLOC_CTX *mem_ctx, >- struct samba_kdc_db_context *kdc_db_ctx, >- struct auth_usersupplied_info *user_info) >-{ >- struct dcerpc_binding_handle *irpc_handle; >- struct winbind_SamLogon req; >- struct netr_IdentityInfo *identity_info; >- struct netr_NetworkInfo *network_info; >- >- irpc_handle = irpc_binding_handle_by_name(mem_ctx, kdc_db_ctx->msg_ctx, >- "winbind_server", >- &ndr_table_winbind); >- if (irpc_handle == NULL) { >- DEBUG(0, ("Winbind forwarding for [%s]\\[%s] failed, " >- "no winbind_server running!\n", >- user_info->mapped.domain_name, user_info->mapped.account_name)); >- return; >- } >- >- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo); >- if (network_info == NULL) { >- DEBUG(0, ("Winbind forwarding failed: No memory\n")); >- return; >- } >- >- identity_info = &network_info->identity_info; >- req.in.logon_level = 2; >- req.in.logon.network = network_info; >- >- identity_info->domain_name.string = user_info->mapped.domain_name; >- identity_info->parameter_control = user_info->logon_parameters; /* TODO */ >- identity_info->logon_id = user_info->logon_id; >- identity_info->account_name.string = user_info->mapped.account_name; >- identity_info->workstation.string >- = talloc_asprintf(identity_info, "krb5-bad-pw on RODC from %s", >- tsocket_address_string(user_info->remote_host, >- identity_info)); >- if (identity_info->workstation.string == NULL) { >- DEBUG(0, ("Winbind forwarding failed: No memory allocating workstation string\n")); >- return; >- } >- >- req.in.validation_level = 3; >- >- /* >- * The memory in identity_info and user_info only needs to be >- * valid until the end of this function call, as it will be >- * pushed to NDR during this call >- */ >- >- dcerpc_winbind_SamLogon_r_send(mem_ctx, kdc_db_ctx->ev_ctx, >- irpc_handle, &req); >-} >- > static krb5_error_code hdb_samba4_audit(krb5_context context, > HDB *db, > hdb_entry *entry, >@@ -527,24 +473,18 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, > { > struct samba_kdc_db_context *kdc_db_ctx = talloc_get_type_abort(db->hdb_db, > struct samba_kdc_db_context); >- > struct ldb_dn *domain_dn = ldb_get_default_basedn(kdc_db_ctx->samdb); > uint64_t logon_id = generate_random_u64(); >- > heim_object_t auth_details_obj = NULL; > const char *auth_details = NULL; >- > char *etype_str = NULL; >- > heim_object_t hdb_auth_status_obj = NULL; > int hdb_auth_status; >- > heim_object_t pa_type_obj = NULL; > const char *pa_type = NULL; >- > struct auth_usersupplied_info ui; >- > size_t sa_socklen = 0; >+ int final_ret = 0; > > hdb_auth_status_obj = heim_audit_getkv((heim_svc_req_desc)r, KDC_REQUEST_KV_AUTH_EVENT); > if (hdb_auth_status_obj == NULL) { >@@ -645,6 +585,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, > const char *auth_description = NULL; > NTSTATUS status; > int ret; >+ bool rwdc_fallback = false; > > ret = tsocket_address_bsd_from_sockaddr(frame, r->addr, > sa_socklen, >@@ -677,34 +618,44 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, > } else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) { > authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn); > status = NT_STATUS_WRONG_PASSWORD; >- /* >- * TODO We currently send a bad password via NETLOGON, >- * however, it should probably forward the ticket to >- * another KDC to allow login after password changes. >- */ >- if (kdc_db_ctx->rodc) { >- send_bad_password_netlogon(frame, kdc_db_ctx, &ui); >- } >+ rwdc_fallback = kdc_db_ctx->rodc; > } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) { > status = NT_STATUS_ACCOUNT_LOCKED_OUT; >+ rwdc_fallback = kdc_db_ctx->rodc; > } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_NAME_UNAUTHORIZED) { > if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) { > status = NT_STATUS_PKINIT_NAME_MISMATCH; > } else { > status = NT_STATUS_ACCOUNT_RESTRICTION; > } >+ rwdc_fallback = kdc_db_ctx->rodc; > } else if (hdb_auth_status == KDC_AUTH_EVENT_PREAUTH_FAILED) { > if (pa_type != NULL && strncmp(pa_type, "PK-INIT", strlen("PK-INIT")) == 0) { > status = NT_STATUS_PKINIT_FAILURE; > } else { > status = NT_STATUS_GENERIC_COMMAND_FAILED; > } >+ rwdc_fallback = kdc_db_ctx->rodc; > } else { > DBG_ERR("Unhandled hdb_auth_status=%d => INTERNAL_ERROR\n", > hdb_auth_status); > status = NT_STATUS_INTERNAL_ERROR; > } > >+ if (rwdc_fallback) { >+ /* >+ * Forward the request to an RWDC in order >+ * to give an authoritative answer to the client. >+ */ >+ auth_description = talloc_asprintf(frame, >+ "%s,Forward-To-RWDC", >+ ui.auth_description); >+ if (auth_description != NULL) { >+ ui.auth_description = auth_description; >+ } >+ final_ret = HDB_ERR_NOT_FOUND_HERE; >+ } >+ > log_authentication_event(kdc_db_ctx->msg_ctx, > kdc_db_ctx->lp_ctx, > &r->tv_start, >@@ -736,6 +687,8 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, > > ui.auth_description = pa_type; > >+ /* Note this is not forwarded to an RWDC */ >+ > log_authentication_event(kdc_db_ctx->msg_ctx, > kdc_db_ctx->lp_ctx, > &r->tv_start, >@@ -750,7 +703,7 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, > > free(etype_str); > >- return 0; >+ return final_ret; > } > > /* This interface is to be called by the KDC and libnet_keytab_dump, >-- >2.25.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17193">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
review?
(
abartlet
)
jsutton
:
review+
Actions:
View
Attachments on
bug 14865
: 17193 |
17196
|
17197
|
17212
|
17213
|
17225
|
17226