From 81c72a29801acf97d9e791155f05055909b45b59 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 4 Sep 2023 13:20:34 +1200 Subject: [PATCH] s4:kdc: Add correct Asserted Identity SID in response to an S4U2Self request MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I’m not sure exactly how this check was supposed to work. But in any case, within fast_unwrap_request() the Heimdal KDC replaces the outer padata with the padata from the inner FAST request. Hence, this check does not accomplish anything useful: at no point should the KDC plugin see the outer padata. A couple of unwanted consequences resulted from this check. One was that a client who sent empty FX‐FAST padata within the inner FAST request would receive the *Authentication Authority* Asserted Identity SID instead of the *Service* Asserted Identity SID. Another consequence was that a client could in the same manner bypass the restriction on performing S4U2Self with an RODC‐issued TGT. Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the Heimdal plugin API gives us nothing better to work with. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 5c580dbdb3e6a70c8d2f5059e2b7293a7e780414) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15477 --- source4/kdc/wdc-samba4.c | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c index 06025ccb0d22..a1a3fea36ac9 100644 --- a/source4/kdc/wdc-samba4.c +++ b/source4/kdc/wdc-samba4.c @@ -32,7 +32,6 @@ static bool samba_wdc_is_s4u2self_req(astgs_request_t r) { - krb5_kdc_configuration *config = kdc_request_get_config((kdc_request_t)r); const KDC_REQ *req = kdc_request_get_req(r); const PA_DATA *pa_for_user = NULL; @@ -40,27 +39,6 @@ static bool samba_wdc_is_s4u2self_req(astgs_request_t r) return false; } - if (config->enable_fast && req->padata != NULL) { - const PA_DATA *pa_fx_fast = NULL; - int idx = 0; - - pa_fx_fast = krb5_find_padata(req->padata->val, - req->padata->len, - KRB5_PADATA_FX_FAST, - &idx); - if (pa_fx_fast != NULL) { - /* - * We're in the outer request - * with KRB5_PADATA_FX_FAST - * if fast is enabled we'll - * process the s4u2self - * request only in the - * inner request. - */ - return false; - } - } - if (req->padata != NULL) { int idx = 0; -- 2.34.1