The Samba-Bugzilla – Attachment 18107 Details for
Bug 15477
The heimdal KDC doesn't detect s4u2self correctly when fast is in use
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Patch for v4-17-test
bug15477-v4-17.txt (text/plain), 2.50 KB, created by
Stefan Metzmacher
on 2023-09-19 21:38:22 UTC
(
hide
)
Description:
Patch for v4-17-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2023-09-19 21:38:22 UTC
Size:
2.50 KB
patch
obsolete
>From 81c72a29801acf97d9e791155f05055909b45b59 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Mon, 4 Sep 2023 13:20:34 +1200 >Subject: [PATCH] s4:kdc: Add correct Asserted Identity SID in response to an > S4U2Self request >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Iâm not sure exactly how this check was supposed to work. But in any >case, within fast_unwrap_request() the Heimdal KDC replaces the outer >padata with the padata from the inner FAST request. Hence, this check >does not accomplish anything useful: at no point should the KDC plugin >see the outer padata. > >A couple of unwanted consequences resulted from this check. One was that >a client who sent empty FXâFAST padata within the inner FAST request >would receive the *Authentication Authority* Asserted Identity SID >instead of the *Service* Asserted Identity SID. Another consequence was >that a client could in the same manner bypass the restriction on >performing S4U2Self with an RODCâissued TGT. > >Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the >Heimdal plugin API gives us nothing better to work with. > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 5c580dbdb3e6a70c8d2f5059e2b7293a7e780414) > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15477 >--- > source4/kdc/wdc-samba4.c | 22 ---------------------- > 1 file changed, 22 deletions(-) > >diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c >index 06025ccb0d22..a1a3fea36ac9 100644 >--- a/source4/kdc/wdc-samba4.c >+++ b/source4/kdc/wdc-samba4.c >@@ -32,7 +32,6 @@ > > static bool samba_wdc_is_s4u2self_req(astgs_request_t r) > { >- krb5_kdc_configuration *config = kdc_request_get_config((kdc_request_t)r); > const KDC_REQ *req = kdc_request_get_req(r); > const PA_DATA *pa_for_user = NULL; > >@@ -40,27 +39,6 @@ static bool samba_wdc_is_s4u2self_req(astgs_request_t r) > return false; > } > >- if (config->enable_fast && req->padata != NULL) { >- const PA_DATA *pa_fx_fast = NULL; >- int idx = 0; >- >- pa_fx_fast = krb5_find_padata(req->padata->val, >- req->padata->len, >- KRB5_PADATA_FX_FAST, >- &idx); >- if (pa_fx_fast != NULL) { >- /* >- * We're in the outer request >- * with KRB5_PADATA_FX_FAST >- * if fast is enabled we'll >- * process the s4u2self >- * request only in the >- * inner request. >- */ >- return false; >- } >- } >- > if (req->padata != NULL) { > int idx = 0; > >-- >2.34.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18107">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
review?
(
abartlet
)
jsutton
:
review+
Actions:
View
Attachments on
bug 15477
:
18105
|
18106
| 18107